CVE-2022-25760 HIGH

CVE-2022-25760: Arbitrary Code Injection

Vendor N/A
Product accesslog
Published March 17, 2022
Last update September 16, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L/E:P

What the vulnerability does

01Description

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.

Key dates

02Disclosure timeline

March 17, 2022 CVE published
September 16, 2024 Record updated