Arbitrary Code Injection

Affecting soletta-dev-app package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

soletta-dev-app is a Soletta Development Application which provides a web-based environment where developers can write, visualize, modify, run, test and debug their Soletta FBP programs. The Soletta Development Application is supposed to run on your target board and it then exposes.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The package does not validate user input on the /api/service/status API endpoint, passing contents of the service query parameter to an exec call.

Remediation

There is no fixed version for soletta-dev-app.

References

CVSS Score

9.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Credit
Microsoft Vulnerability Research
CWE
CWE-94
Snyk ID
SNYK-JS-SOLETTADEVAPP-459558
Disclosed
10 Jun, 2019
Published
09 Jan, 2020