Описание
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
A flaw was found in the canvg library. In affected versions, an attacker can manipulate the input to the StyleElement constructor to inject or alter properties within the global prototype chain. This can lead to other injection-based attacks, particularly if the library is integrated into an application in a way that interacts with sensitive Node.js APIs, such as exec or eval.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-central-db-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-main-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-rhel8-operator | Not affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-roxctl-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-scanner-v4-db-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-scanner-v4-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
Уязвимость класса StyleElement библиотеки обработки SVG-изображений canvg, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
EPSS
6.5 Medium
CVSS3