CVE-2020-28464
CRITICALdjv < 2.1.4 - Remote Code Execution via Schema File Injection
Title source: llmDescription
This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DJV-1014545
Broken Link x_refsource_misc
https://github.com/korzio/djv/blob/master/lib/utils/properties.js%23L55
Patch, Third Party Advisory x_refsource_misc
https://github.com/korzio/djv/pull/98/files
Scores
CVSS v3
9.8
EPSS
0.0300
EPSS Percentile
85.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
djv_project/djv
< 2.1.4
npm/djv
0 - 2.1.4npm
Published
Jan 04, 2021
Tracked Since
Feb 18, 2026