CVE-2020-7678 : This affects all versions of package node-import. The "params" argument of modul

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

Published 2022-07-25 14:15:10

Updated 2022-08-01 17:38:53

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2020-7678

Node-import Project » Node-import » For Node.js
cpe:2.3:a:node-import_project:node-import:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7678

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7678

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L	3.9	4.7	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: Low

References for CVE-2020-7678

https://github.com/mahdaen/node-import/blob/master/index.js%23L79

Page not found · GitHub · GitHub
Broken Link;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691

Arbitrary Code Execution in node-import | CVE-2020-7678 | Snyk
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-7678

Products affected by CVE-2020-7678

Exploit prediction scoring system (EPSS) score for CVE-2020-7678

CVSS scores for CVE-2020-7678

References for CVE-2020-7678