CVE-2020-7678

Опубликовано: 25 июл. 2022

Источник: nvd

CVSS3: 8.6

CVSS3: 9.8

EPSS Низкий

Описание

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

Ссылки

https://github.com/mahdaen/node-import/blob/master/index.js%23L79
Broken Link
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691
Exploit
Third Party Advisory
https://github.com/mahdaen/node-import/blob/master/index.js%23L79
Broken Link
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:node-import_project:node-import:*:*:*:*:*:node.js:*:*

EPSS

Процентиль: 62%

0.00433

Низкий

8.6 High

CVSS3

9.8 Critical

CVSS3

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-pc62-cq5x-3j5g

CVSS3: 9.8

github

больше 3 лет назад

node-import `params` argument can be controlled by users without any sanitization

EPSS

Процентиль: 62%

0.00433

Низкий

8.6 High

CVSS3

9.8 Critical

CVSS3

Дефекты

NVD-CWE-noinfo