CVE-2020-7678

EUVD-2022-6382
This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
snykCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Affected Products (NVD)
VendorProductVersion
node-import_projectnode-import
*
𝑥
= Vulnerable software versions
References
https://github.com/mahdaen/node-import/blob/master/index.js%23L79
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691
https://github.com/mahdaen/node-import/blob/master/index.js%23L79
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691