CVEs-PoC/2017/CVE-2017-16035.md

### [CVE-2017-16035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16035)
![](https://img.shields.io/static/v1?label=Product&message=hubl-server%20node%20module&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=All%20versions%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Missing%20Encryption%20of%20Sensitive%20Data%20(CWE-311)&color=brightgreen)

### Description

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon