Vulnerability Details : CVE-2014-7205
Public exploit exists!
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Products affected by CVE-2014-7205
- cpe:2.3:a:bassmaster_project:bassmaster:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-7205
92.57%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-7205
-
Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution
Disclosure Date: 2016-11-01First seen: 2020-04-26exploit/multi/http/bassmaster_js_injectionThis module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that t
CVSS scores for CVE-2014-7205
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-7205
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7205
-
http://www.securityfocus.com/bid/70180
Bassmaster 'eval()' Function Arbitrary Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4
Remove eval statement · outmoded/bassmaster@b751602 · GitHubExploit
-
https://nodesecurity.io/advisories/bassmaster_js_injection
npmThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/09/30/10
oss-security - Re: CVE request: various NodeJS module vulnerabilitiesMailing List;Third Party Advisory
-
https://www.exploit-db.com/exploits/40689/
Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit) - Linux remote ExploitThird Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96730
Node.js Bassmaster eval() code execution CVE-2014-7205 Vulnerability ReportThird Party Advisory;VDB Entry
Jump to