GHSA-4hv7-3q38-97m8

Source

https://github.com/advisories/GHSA-4hv7-3q38-97m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-4hv7-3q38-97m8/GHSA-4hv7-3q38-97m8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4hv7-3q38-97m8

Aliases

CVE-2020-28464

Published

2021-04-13T15:24:47Z

Modified

2026-03-13T21:56:27.725863Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Arbitrary code execution in djv

Details

This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T23:35:22Z",
    "nvd_published_at": "2021-01-04T12:15:00Z",
    "severity": "CRITICAL"
}

References

Affected packages

npm / djv

Package

Name: djv; View open source insights on deps.dev
Purl: pkg:npm/djv

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-4hv7-3q38-97m8/GHSA-4hv7-3q38-97m8.json"