Описание
Unsafe eval() in summit allows arbitrary code execution
Affected versions of summit allow attackers to execute arbitrary commands via collection names when using the PouchDB driver.
Recommendation
No direct patch is available at this time.
Currently, the best option to mitigate the issue is to avoid using the PouchDB driver, as the package author has abandoned this feature entirely.
Пакеты
Наименование
summit
npm
Затронутые версииВерсия исправления
>= 0.1.0, <= 0.1.22
Отсутствует
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.