CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 8CVE-2023-26122
https://notcve.org/view.php?id=CVE-2023-26122
11 Apr 2023 — All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. • https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce • CWE-265: Privilege Issues CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-26121
https://notcve.org/view.php?id=CVE-2023-26121
11 Apr 2023 — All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. • https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-25904 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-25904
20 Dec 2022 — All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. Todas las versiones del paquete safe-eval son vulnerables a Prototype Pollution, que permite a un atacante agregar o modificar propiedades de Object.prototype.Consolidate cuando usa la función safeEval. E... • https://github.com/hacksparrow/safe-eval/issues/26 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2017-16088
https://notcve.org/view.php?id=CVE-2017-16088
07 Jun 2018 — The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. El módulo safe-eval se describe como una versión más segura de eval. Mediante el acceso a los constructores de objeto, las entradas de usuario no saneadas pueden acceder a la totalidad de la biblioteca estándar y salir del sandbox. • https://github.com/Flyy-yu/CVE-2017-16088 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •