All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.
References
Link | Resource |
---|---|
https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6 | Broken Link |
https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2022-03-17T00:00:00
Updated: 2022-03-17T11:20:27
Reserved: 2022-02-24T00:00:00
Link: CVE-2022-25760
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-03-17T12:15:08.293
Modified: 2022-03-23T18:40:44.540
Link: CVE-2022-25760
JSON object: View
Redhat Information
No data.
CWE