CVE-2022-25760

Опубликовано: 17 мар. 2022

Источник: nvd

CVSS3: 7.1

CVSS3: 9.8

CVSS2: 10

EPSS Низкий

Описание

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Ссылки

https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
Broken Link
https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099
Exploit
Third Party Advisory
https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
Broken Link
https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:accesslog_project:accesslog:*:*:*:*:*:*:*:*

EPSS

Процентиль: 64%

0.0046

Низкий

7.1 High

CVSS3

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-94

Связанные уязвимости

GHSA-8m2f-74r2-x3f2

CVSS3: 7.1

github

почти 4 года назад

Code injection in accesslog

EPSS

Процентиль: 64%

0.0046

Низкий

7.1 High

CVSS3

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-94