Arbitrary Code Injection

Affecting morgan package, versions <1.9.1

Do your applications use this vulnerable package? Test your applications

Overview

An attacker could use the format parameter to inject arbitrary commands.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P
Credit
Unknown
CVE
CVE-2019-5413
CWE
CWE-94
Snyk ID
SNYK-JS-MORGAN-72579
Disclosed
09 Nov, 2018
Published
12 Nov, 2018