Arbitrary Code Injection

Affecting jstree package, versions <3.3.7

Overview

jstree is a jquery plugin, that provides interactive trees.

Affected versions of this package are vulnerable to Arbitrary Code Injection. due to using the eval() function in an insecure manner.

Remediation

Upgrade jstree to version 3.3.7 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Dusan Vuckovic
CWE
CWE-94
Snyk ID
SNYK-JS-JSTREE-72490
Disclosed
15 Oct, 2018
Published
21 Oct, 2018