Home > Vulnerability Database > WS-2019-0260

Mend.io Vulnerability Database

WS-2019-0260

Good to know:

Date: August 29, 2019

In Notevil, versions prior to 1.3.2, are vulnerable to Sandbox Escape leading to Remote Code Execution. Not checking the return values of function calls cause the package to fail in preventing access to the Function constructor. This allows attackers to access the Function prototype's constructor leading to the Sandbox Escape.

Language: JS

Severity Score

6.5

Related Resources (3)

Url: https://github.com/mmckegg/notevil/commits/master

Url: https://github.com/mmckegg/notevil/commit/5974329712f0a527c5e16d3b9067a076e28e45f1

Url: https://www.mend.io/vulnerability-database/WS-2019-0260

Severity Score

6.5

Weakness Type (CWE)

Code

CWE-17

Top Fix

Upgrade Version

Upgrade to version 1.3.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2019-0260

Good to know:

Date: August 29, 2019

Language: JS

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?