Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczNjQtOHZmdi1ndmY1
Downloads Resources over HTTP in phantomjs-cheniu
Affected versions of phantomjs-cheniu insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu.
Recommendation
No patch is currently available for this vulnerability.
As this package is just a fork of Medium's phantomjs-prebuilt package, the best mitigation is currently to install the Medium version of phantomjs-prebuilt. This can be done via the following command:
npm i phantomjs-prebuilt
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczNjQtOHZmdi1ndmY1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: almost 2 years ago
Identifiers: GHSA-w364-8vfv-gvf5, CVE-2016-10661
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10661
- https://github.com/advisories/GHSA-w364-8vfv-gvf5
- https://www.npmjs.com/advisories/262
Affected Packages
npm:phantomjs-cheniu
Dependent packages: 1Dependent repositories: 1
Downloads: 46 last month
Affected Version Ranges: <= 2.0.1
No known fixed version
All affected versions: 1.9.17, 2.0.0, 2.0.1