CVE-2019-5479 : An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attac

An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).

Published 2019-09-03 20:15:12

Updated 2020-10-16 14:12:14

Source HackerOne

View at NVD, CVE.org

Vulnerability category: File inclusion

Products affected by CVE-2019-5479

Larvit » Larvitbase » For Node.js
Versions before (<) 0.5.5
cpe:2.3:a:larvit:larvitbase:*:*:*:*:*:node.js:*:*
Matching versions

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 40 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Assigned by: support@hackerone.com (Secondary)
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Assigned by: nvd@nist.gov (Primary)

https://hackerone.com/reports/566056

#566056 [larvitbase-api] Unintended Require
Exploit;Issue Tracking;Third Party Advisory

Jump to