Downloads Resources over HTTP in phantomjs-cheniu

Severity:: High

Description

Affected versions of phantomjs-cheniu insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu.

Recommendation

No fix is available yet. Followings are affected versions:

<= 2.0.1

References

GHSA-w364-8vfv-gvf5
www.npmjs.com
CVE-2016-10661
CWE-311
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Downloads Resources over HTTP in webdrvr - CVE-2016-10601
Downloads Resources over HTTP in wasdk - CVE-2016-10587
Downloads Resources over HTTP in product-monitor - CVE-2016-10567
Downloads Resources over HTTP in strider-sauce - CVE-2016-10611

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; phantomjs-cheniu

Anything's wrong? Let us know Last updated on January 09, 2023