Code Injection in cd-messenger

Description

cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.7.26

References

• GHSA-v756-4whv-48vc
• snyk.io
• CVE-2020-7675
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - xmlhttprequest - CVE-2020-28502
• Code Injection in mquery - CVE-2020-35149
• xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
• Code Injection in node-rules - CVE-2020-7609

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

cd-messenger