Описание
jsreport vulnerable to code injection
jsreport prior to 3.11.3 had a version of vm2 vulnerable to CVE-2023-29017 hard coded in the package.json of the jsreport-core component. An attacker can use this vulnerability to obtain the authority of the jsreport playground server, or construct a malicious webpage/html file and send it to the user to attack the installed jsreport client.
Пакеты
Наименование
jsreport
npm
Затронутые версииВерсия исправления
< 3.11.3
3.11.3
Связанные уязвимости
CVSS3: 10
nvd
больше 2 лет назад
Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.