Описание
Arbitrary JavaScript Execution in typed-function
Versions of typed-function prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code.
Recommendation
Upgrade to version 0.10.6 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-1001004
- https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe
- https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe?diff=split#diff-9e1f22c2954a38db1fdf444dbc74e0a8
- https://github.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106
- https://snyk.io/vuln/SNYK-JS-TYPEDFUNCTION-174139
- https://www.npmjs.com/advisories/819
Пакеты
Наименование
typed-function
npm
Затронутые версииВерсия исправления
< 0.10.6
0.10.6
Связанные уязвимости
CVSS3: 8.8
nvd
около 8 лет назад
typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.