Lucene search
Alexander AnderssonNODEJS:1439HistoryDec 18, 2019 - 2:29 p.m.
Command Injection
2019-12-1814:29:51
Alexander Andersson
www.npmjs.com
6
0.006 Low
EPSS
Percentile
78.2%
Overview
Versions of hot-formula-parser prior to 3.0.1 are vulnerable to Command Injection. The package fails to sanitize values passed to the parse function and concatenates it in an eval call. If a value of the formula is supplied by user-controlled input it may allow attackers to run arbitrary commands in the server.
Parsing the following formula creates a test file in the present directory:
"SUM([(function(){require('child_process').execSync('touch test')})(),2])"
Recommendation
Upgrade to version 3.0.1 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| hot-formula-parser | lt | 3.0.1 |
Related
osv
osv
CVE-2020-6836
2020-01-11 01:15:10
Command Injection in hot-formula-parser
2020-05-06 19:32:33
nvd
nvd
CVE-2020-6836
2020-01-11 01:15:10
veracode
veracode
Arbitrary Code Injection
2020-01-13 00:54:16
cve
cve
CVE-2020-6836
2020-01-11 01:15:10
cvelist
cvelist
CVE-2020-6836
2020-01-11 00:42:28
github
github
Command Injection in hot-formula-parser
2020-05-06 19:32:33
githubexploit
githubexploit
Exploit for Code Injection in Hot-Formula-Parser Project Hot-Formula-Parser
2020-12-01 09:45:48
prion
prion
Code injection
2020-01-11 01:15:00