CVE-2022-42002
CRITICALsonicjs < 0.6.0 - Unauthenticated Arbitrary File Write and Delete via fileCreate and fileUpdate Mutations
Title source: llmDescription
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/blog/graphql-security-static-analysis-snyk-code/
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/lane711/sonicjs/tags
Scores
CVSS v3
9.1
EPSS
0.0104
EPSS Percentile
59.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (1)
sonicjs/sonicjs
< 0.6.0
Published
Oct 01, 2022
Tracked Since
Feb 18, 2026