CVE-2020-6836

Description

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.

CVSS Version 3.1
CVSS Version 2.0

nvd
CVE ID: CVE-2020-6836
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9

nvd
CVE ID: CVE-2020-6836
Base Score: 7.5
Base Severity: HIGH
Vector String:AV:N/AC:L/Au:N/C:P/I:P/A:P

Content on GitHub

ossf-cve-benchmark | watchers:0

CVE-2020-6836

Refrence: GitHub

Refrence: NVD

Description​

Content on GitHub​

Description

Content on GitHub