Arbitrary Code Injection

Affecting kmc package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

kmc is a NodeJS-based KISSY module packaging tool that is currently available for KISSY 1.2+ code package.

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

There is no fix version for kmc.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits
CWE
CWE-94
Snyk ID
npm:kmc:20160407
Disclosed
07 Apr, 2016
Published
01 May, 2017