GitHub_MCVELIST:CVE-2021-21384CVE-2021-21384 Null characters not escaped in shescape
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
EPSS
Percentile
34.7%
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.
CNA Affected
[
{
"product": "shescape",
"vendor": "ericcornelissen",
"versions": [
{
"status": "affected",
"version": "< 1.1.3"
}
]
}
]Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
EPSS
Percentile
34.7%