3 matches found
@attraqt/activity (>=0.0.1 <=1.3.0-alpha.3), @attraqt/xo-js (=0.0.1) +4 more potentially affected by CVE-2020-28464 via djv (>=0.1.4 <=2.1.3-alpha.0)
djv NPM version =0.1.4, =0.0.1, =1.1.8, =1.0.3, =0.4.0, =1.0.1, =1.0.1-beta.1 Source cves: CVE-2020-28464 Source advisory: OSV:GHSA-4HV7-3Q38-97M8...
@attraqt/activity (>=0.0.1 <=1.3.0-alpha.3), @attraqt/xo-js (=0.0.1) +2 more potentially affected by CVE-2020-28464 via djv (=2.1.3-alpha.0)
djv NPM version =2.1.3-alpha.0 is affected by a known vulnerability. The following packages have a transitive dependency on djv and may be impacted: - @attraqt/activity =0.0.1, =1.1.8, =1.0.3, =1.1.6 Source cves: CVE-2020-28464 Source advisory: SNYK:JS-DJV-1014545...
Remote Code Execution (RCE)
Overview djv is a dynamic json-schema validator Affected versions of this package are vulnerable to Remote Code Execution RCE. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine. POC: const djv = require'djv'; const env = new djv; const evilSchema ...