7.8

CVE-2023-7245

The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenvpnConnect SwPlatformwindows Version >= 3.2.0 < 3.4.4
OpenvpnConnect SwPlatformmacos Version >= 3.2.0 < 3.4.8
OpenvpnConnect Version3.0.0 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.0.0 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.0.1 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.0.2 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.0 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.0 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.1 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.1 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.2 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.3 Updatebeta SwPlatformwindows
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.402
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").