CVE-2020-7678

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the eval function located in line 79 in the index file "index.js".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
snykCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
node-import_projectnode-import
*
𝑥
= Vulnerable software versions
References
https://github.com/mahdaen/node-import/blob/master/index.js%23L79
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691
https://github.com/mahdaen/node-import/blob/master/index.js%23L79
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691