CVE-2016-10548

Опубликовано: 31 мая 2018

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the calc function.

Ссылки

https://gist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9
Exploit
Third Party Advisory
https://nodesecurity.io/advisories/144
Exploit
Third Party Advisory
https://gist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9
Exploit
Third Party Advisory
https://nodesecurity.io/advisories/144
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:reduce-css-calc_project:reduce-css-calc:*:*:*:*:*:node.js:*:*

Версия до 1.2.4 (включая)

EPSS

Процентиль: 62%

0.00427

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-94

CWE-79

Связанные уязвимости

GHSA-4662-j96g-mv46

github

больше 7 лет назад

Arbitrary Code Injection in reduce-css-calc