CVE-2020-7777

Name of the Vulnerable Software and Affected Versions jsen versions all

Description This issue affects the jsen package, allowing an attacker to run arbitrary JavaScript code on the victim machine if they can control the schema file. The required field of the schema is not properly sanitized, and the resulting string is passed to a Function.apply(), leading to Arbitrary Code Execution. There is no mention of the risks of untrusted schema files in the module description and README file.

Recommendations As a temporary workaround, consider disabling the use of untrusted schema files until a patch is available. Restrict access to the Function.apply() function to minimize the risk of exploitation. Avoid using the required field in the schema definition until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.