CVE-2022-25760 Information
Jun 07, 2022
cve
Description
All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package’s exported constructor function it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099 https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: