Vulnerability Description
This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djv Project | Djv | < 2.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/korzio/djv/blob/master/lib/utils/properties.js%23L55Broken Link
- https://github.com/korzio/djv/pull/98/filesPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DJV-1014545ExploitThird Party Advisory
- https://github.com/korzio/djv/blob/master/lib/utils/properties.js%23L55Broken Link
- https://github.com/korzio/djv/pull/98/filesPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DJV-1014545ExploitThird Party Advisory
FAQ
What is CVE-2020-28464?
CVE-2020-28464 is a vulnerability with a CVSS score of 9.8 (CRITICAL). This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.
How severe is CVE-2020-28464?
CVE-2020-28464 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-28464?
Check the references section above for vendor advisories and patch information. Affected products include: Djv Project Djv.