CVE-2019-5479

High

An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).

hackerone·CWE-98·Published 2019-09-03

CVSS

7.5

EPSS

0.01

KEV

Exploits

cve.orgen

140 chars

An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).

NVDen

140 chars

An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).

Versions of `larvitbase-api` prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an `require()` call. This allows attackers to execute any `.js` file in the same folder as the server is running. ## Recommendation Upgrade to version 0.5.4 or later.

GHSAen

332 chars

NVDes

187 chars

Una vulnerabilidad de solicitud no deseada en versiones anteriores a la 0.5.5 larvitbase-api puede permitir que un atacante cargue código arbitrario de no producción (archivo JavaScript).

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
3.1	Primary	NVD	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N