nadesiko3 allows remote attacker to inject invalid value to decodeURIComponent of nako3edit

Description

Nako3edit is the editor component of Nadeshiko 3, a programming language developed based on Japanese. Improper check or handling of exceptional conditions in Nako3edit v3.3.74 and earlier allows a remote attacker to inject an invalid value to decodeURIComponent of nako3edit, which may lead the server to crash.

Recommendation

Update the nadesiko3 package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.3.75
• Patched version(s): 3.3.75

References

• GHSA-x2jx-w3wm-9p3p
• jvn.jp
• CVE-2022-41777
• CWE-703
• CWE-755
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Nadesiko3 OS Command Injection vulnerability - CVE-2022-41642
• Invalid file request can crash server - CVE-2022-31089
• Possible inject arbitrary `CSS` into the generated graph affecting the container HTML - CVE-2022-31108
• Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

nadesiko3