CVE-2023-26107

low-risk
Published 2023-03-06

All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.9/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Sketchsvg

Affected Vendors

Ebay

References (6)

Broken Link https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/...
Broken Link https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/...
Exploit https://security.snyk.io/vuln/SNYK-JS-SKETCHSVG-3167969
Broken Link https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/...
Broken Link https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/...
Exploit https://security.snyk.io/vuln/SNYK-JS-SKETCHSVG-3167969
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal