CVE-2023-2583 : Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.

Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.

Published 2023-05-08 17:15:12

Updated 2023-05-12 17:05:14

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2023-2583

Jsreport » Jsreport » For Node.js
Versions before (<) 3.11.3
cpe:2.3:a:jsreport:jsreport:*:*:*:*:*:node.js:*:*
Matching versions

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: security@huntr.dev (Primary)

https://huntr.dev/bounties/397ea68d-1e28-44ff-b830-c8883d067d96

An outdated dependency leads to to remote command execution vulnerability vulnerability found in jsreport
Exploit;Patch;Third Party Advisory
https://github.com/jsreport/jsreport/commit/afaff3804b34b38e959f5ae65f9e672088de13d7

release extensions 3.11.3 · jsreport/jsreport@afaff38 · GitHub
Patch

Jump to