Arbitrary Code Injection Affecting soletta-dev-app package, versions *
Snyk CVSS
Attack Complexity
Low
Scope
Changed
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SOLETTADEVAPP-459558
- published 9 Jan 2020
- disclosed 10 Jun 2019
- credit Microsoft Vulnerability Research
How to fix?
There is no fixed version for soletta-dev-app.
Overview
soletta-dev-app is a Soletta Development Application which provides a web-based environment where developers can write, visualize, modify, run, test and debug their Soletta FBP programs. The Soletta Development Application is supposed to run on your target board and it then exposes.
Affected versions of this package are vulnerable to Arbitrary Code Injection. The package does not validate user input on the /api/service/status API endpoint, passing contents of the service query parameter to an exec call.