Arbitrary Code Injection
Vulnerable module: growl
Introduced through: truffle@4.1.5
Detailed paths
Introduced through: erc20-tokens@ConsenSys/Tokens#df959c7db75cc5fbb1591775353733958b3ceca1 › truffle@4.1.5 › mocha@3.5.3 › growl@1.9.2
Remediation: Upgrade to truffle@4.1.9.
Overview
growl is a package adding Growl support for Nodejs.
Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.
Arbitrary Code Injection Vulnerable module: growl Introduced through: truffle@4.1.5 Detailed paths Introduced through: erc20-tokens@ConsenSys/Tokens#df959c7db75cc5fbb1591775353733958b3ceca1 › truffle@4.1.5 › mocha@3.5.3 › growl@1.9.2 Remediation: Upgrade to truffle@4.1.9. Overview growl is a package adding Growl support for Nodejs.
Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.
Arbitrary Code Injection vulnerability report