Vulnerability CVE-2022-25760


Published: 2022-03-17

Description:
All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Accesslog project -> Accesslog 

 References:
https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099
https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6

Copyright 2023, cxsecurity.com

 

Back to Top