Description

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

Remediation

References

https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691

https://github.com/mahdaen/node-import/blob/master/index.js%23L79

Related Vulnerabilities

CVE-2022-27263 Vulnerability in npm package strapi

CVE-2020-10683 Vulnerability in maven package org.dom4j:dom4j

CVE-2023-45137 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-26486 Vulnerability in npm package vega-functions

CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Broken Link NVD-CWE-noinfo