PT-2021-14384 · Rsshub · Rsshub
Published
2021-01-26
·
Updated
2021-10-12
·
CVE-2021-21278
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
RSSHub versions prior to 7f1c430
Description:
RSSHub is an open source, easy to use, and extensible RSS feed generator. The issue arises from some routes using
eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues.Recommendations:
For versions prior to 7f1c430, upgrade to version 7f1c430 or later as soon as possible. As a temporary workaround, consider disabling the routes that use
eval or Function constructor until the issue is resolved. Additionally, applying the no-new-func rule to eslint can help mitigate the risk.Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rsshub