@cisdi/code-editor (>=3.0.0 <=3.3.10), @cisdi/ui-engine-charts (>=3.2.0 <=3.2.4) +32 more potentially affected by CVE-2021-23771 via notevil (>=0.8.1 <=1.3.3)

notevil NPM version =0.8.1, =3.0.0, =3.2.0, =2.9.0, =1.0.1, =1.0.0, =1.0.0, =0.10.0, =1.5.24, =5.0.0, =3.0.0, =5.2.0, =0.0.1, =0.0.50 and more Source cves: CVE-2021-23771 Source advisory: OSV:GHSA-8G4M-CJM2-96WQ...

@cisdi/code-editor (>=3.0.0 <=3.3.10), @cisdi/ui-engine-charts (>=3.2.0 <=3.2.4) +32 more potentially affected by CVE-2021-23771 via notevil (>=0.8.1 <=1.3.3)

notevil NPM version =0.8.1, =3.0.0, =3.2.0, =2.9.0, =1.0.1, =1.0.0, =1.0.0, =0.10.0, =1.5.24, =5.0.0, =3.0.0, =5.2.0, =0.0.1, =0.0.50 and more Source cves: CVE-2021-23771 Source advisory: SNYK:JS-NOTEVIL-2385946...

Sandbox Bypass

Overview notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result Note:This package has been deprecated. Affected versions of this package are vulnerable to Sandbox Bypass. It is vulnerable to Sandbox Escape leading to Prototype pollution. The...

ezs (>=5.5.0 <=9.3.1), hoppel (=0.4.0) +3 more potentially affected by unknown CVE via notevil (>=0.8.1 <=1.3.1)

notevil NPM version =0.8.1, =5.5.0, =1.0.0, =0.1.0, =0.2.0 - piedpiper-middle-out =5.8.1 Source cves: unknown CVE Source advisory: OSV:GHSA-7R5F-7QR4-PF6Q...

GHSA-7R5F-7QR4-PF6Q Sandbox Breakout / Arbitrary Code Execution in notevil

Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading t...