PT-2020-19700 · Unknown · Access-Policy

Published

2020-06-10

Updated

2021-07-21

CVE-2020-7674

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions access-policy versions prior to 3.1.0

Description The issue allows for Arbitrary Code Execution. This occurs because user input provided to the template function is executed by the eval function, resulting in code execution.

Recommendations For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting user input to the template function to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2020-7674

GHSA-FW2F-7F87-5R6C

SNYK-JS-ACCESSPOLICY-571490

Affected Products

Access-Policy

PT-2020-19700 · Unknown · Access-Policy

CVE-2020-7674

Weakness Enumeration

Related Identifiers

Affected Products

References · 4