Vulnerability Description
Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the `calc` function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Reduce-Css-Calc Project | Reduce-Css-Calc | <= 1.2.4 |
Related Weaknesses (CWE)
References
- https://gist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9ExploitThird Party Advisory
- https://nodesecurity.io/advisories/144ExploitThird Party Advisory
- https://gist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9ExploitThird Party Advisory
- https://nodesecurity.io/advisories/144ExploitThird Party Advisory
FAQ
What is CVE-2016-10548?
CVE-2016-10548 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on ...
How severe is CVE-2016-10548?
CVE-2016-10548 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10548?
Check the references section above for vendor advisories and patch information. Affected products include: Reduce-Css-Calc Project Reduce-Css-Calc.