7.8

CVE-2023-7245

The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenvpnConnect SwPlatformwindows Version >= 3.2.0 < 3.4.4
OpenvpnConnect SwPlatformmacos Version >= 3.2.0 < 3.4.8
OpenvpnConnect Version3.0.0 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.0.0 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.0.1 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.0.2 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.0 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.0 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.1 Updatebeta SwPlatformmacos
OpenvpnConnect Version3.1.1 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.2 Updatebeta SwPlatformwindows
OpenvpnConnect Version3.1.3 Updatebeta SwPlatformwindows
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.407
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").