dalek-browser-ie-canary downloads Resources over HTTP

Severity:: High

Description

Affected versions of dalek-browser-ie-canary insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running dalek-browser-ie-canary.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.0.4-2014-04-04-12-11-49

References

GHSA-x56r-5r34-qg74
www.npmjs.com
CVE-2016-10612
CWE-311
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Downloads Resources over HTTP in dalek-browser-chrome-canary - CVE-2016-10584
dalek-browser-chrome Downloads Resources over HTTP - CVE-2016-10604
dalek-browser-ie downloads Resources over HTTP - CVE-2016-10605
node-browser downloads Resources over HTTP - CVE-2016-10618

Tags:: npm; dalek-browser-ie-canary

Anything's wrong? Let us know Last updated on September 11, 2023