Miggo Logo
Miggo Vulnerability Database
CVE-2020-7672

CVE-2020-7672: Code Injection in mosc

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7672
GHSA ID
GHSA-j665-rvj7-2jv9
EPSS Score
0.75532%
CWE
CWE-94
Published
5/17/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
moscnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly states user input to 'properties' argument is executed by eval
  2. The Snyk PoC demonstrates attack code being passed to parse_properties
  3. CWE-94 (Code Injection) directly maps to unsafe eval usage
  4. Though file path isn't explicitly documented, the function name and attack pattern are consistent across all sources
  5. The lack of patching indicates the vulnerable function remains unmodified in <=1.0.0 versions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mos* t*rou** *.*.* is vuln*r**l* to *r*itr*ry *o** *x**ution. Us*r input provi*** to `prop*rti*s` *r*um*nt is *x**ut** *y t** `*v*l` *un*tion, r*sultin* in *o** *x**ution.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly st*t*s us*r input to 'prop*rti*s' *r*um*nt is *x**ut** *y *v*l *. T** Snyk Po* **monstr*t*s *tt**k *o** **in* p*ss** to p*rs*_prop*rti*s *. *W*-** (*o** Inj**tion) *ir**tly m*ps to uns*** *v*l us*** *. T*ou