CVE-2020-28464 – djv

Package

Manager: npm
Name: djv
Vulnerable Version: >=0 <2.1.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00473 pctl0.63743

Details

Arbitrary code execution in djv This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.

Metadata

Created: 2021-04-13T15:24:47Z
Modified: 2021-04-06T23:35:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-4hv7-3q38-97m8/GHSA-4hv7-3q38-97m8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-4hv7-3q38-97m8
Finding: F422
Auto approve: 1