Home > Vulnerability Database > CVE-2023-26107

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2023-26107

Date: March 6, 2023

All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.

Language: JS

Severity Score

6.9

Related Resources (7)

Url: https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js#23L64

Url: https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L115

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26107

Url: https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js#23L115

Url: https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L64

Url: https://github.com/eBay/SketchSVG

Url: https://www.mend.io/vulnerability-database/CVE-2023-26107

Severity Score

6.9

Weakness Type (CWE)

Code Injection

CWE-94

CVSS v3.1

Base Score:	6.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Do you need more information?

Contact Us