Arbitrary Code Injection

Affecting soletta-dev-app package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

soletta-dev-app is a web-based environment where developers can write, visualize, modify, run, test and debug their Soletta FBP programs.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The package does not validate user input on the /api/service/status API endpoint, passing contents of the service query parameter to an exec call.

Remediation

There is no fixed version for soletta-dev-app.

References

CVSS Score

9.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Credit
Microsoft Vulnerability Research
CWE
CWE-94
Snyk ID
SNYK-JS-SOLETTADEVAPP-459558
Disclosed
10 Jun, 2019
Published
09 Jan, 2020