CVE-2020-15150

Remote Code Execution in paginator(hex)

CVSS 9 CRITICALEPSS 3.3%CWE-94

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9EPSS 3.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Sep 2020Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

There is a vulnerability in Paginator (Elixir/Hex package) which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the paginate() function. This will potentially affect all current users of Paginator prior to version 1.0.0. The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version >=1.5.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

duffelhq · paginator

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/duffelhq/paginator/blob/ccf0f37fa96347cc8c8a7e9eb2c64462cec4b2dc/README.md#security-considerations https://github.com/duffelhq/paginator/commit/bf45e92602e517c75aea0465efc35cd661d9ebf8 https://github.com/duffelhq/paginator/security/advisories/GHSA-w98m-2xqg-9cvj https://hex.pm/packages/paginator