Arbitrary Code Injection Affecting jstree package, versions <3.3.7
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-JSTREE-72490
- published 21 Oct 2018
- disclosed 15 Oct 2018
- credit Dusan Vuckovic
How to fix?
Upgrade jstree to version 3.3.7 or higher.
Overview
jstree is a jquery plugin, that provides interactive trees.
Affected versions of this package are vulnerable to Arbitrary Code Injection.
due to using the eval()
function in an insecure manner.