CVE-2020-6836

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-6836

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-6836.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-6836

Aliases

GHSA-rc77-xxq6-4mff

Published

2020-01-11T01:15:10.730Z

Modified

2025-11-14T11:04:29.529429Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.

References

Affected packages

Git / github.com/handsontable/formula-parser

Affected ranges

Type: GIT
Repo: https://github.com/handsontable/formula-parser
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

396b089738d4bf30eb570a4fe6a188affa95cd5e

Affected versions

1.*

1.0.0

1.0.1

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.2

1.0.20

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

3.*

3.0.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-6836.json"