PT-2018-4726 · Npm · Reduce-Css-Calc

Chalker

Published

2018-05-31

Updated

2019-10-09

CVE-2016-10548

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions reduce-css-calc versions <=1.2.4

Description Arbitrary code execution is possible through crafted CSS, making cross-site scripting (XSS) possible on the client and arbitrary code injection possible on the server. This occurs because user input is passed to the calc function, and affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser or remote code execution on the server.

Recommendations For versions <=1.2.4, update to version 1.2.5 or later. As a temporary workaround, consider restricting the use of the calc function to minimize the risk of exploitation. Avoid passing user input to the calc function until the issue is resolved.

Exploit

Fix

XSS

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-94

Related Identifiers

CVE-2016-10548

GHSA-4662-J96G-MV46

Affected Products

Reduce-Css-Calc

PT-2018-4726 · Npm · Reduce-Css-Calc

CVE-2016-10548

Weakness Enumeration

Related Identifiers

Affected Products

References · 7