110 matches found
Sandbox Breakout / Arbitrary Code Execution
Overview Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor...
Sandbox Breakout / Arbitrary Code Execution
Overview Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...
GHSA-5MJW-6JRH-HVFQ Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept js var evaluate = require'static-eval'; var parse = require'esprima'.parse; va...
Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept js var evaluate = require'static-eval'; var parse = require'esprima'.parse; va...
CVE-2017-16226
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...
CVE-2017-16226
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...
Code injection
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...
CVE-2017-16226
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...
static-eval Arbitrary Code Execution Vulnerability
static-eval is a module for evaluating statically analyzable expressions. A security vulnerability exists in static-eval. An attacker can exploit this vulnerability to execute arbitrary code by accessing the constructor of the global function...
Sandbox Breakout / Arbitrary Code Execution
Overview Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...