CVE-2016-10546

Name of the Vulnerable Software and Affected Versions PouchDB versions prior to 6.0.5

Description A code injection vector was found in the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed, allowing an attacker to run arbitrary JavaScript as well as system commands. This issue is related to insufficient control of code generation. Under certain circumstances, an attacker could use this to run arbitrary code on the server.

Recommendations Update to version 6.0.5 or later. As a temporary workaround, consider disabling the map/reduce functions for temporary views and design documents until a patch is available.