BF Specification of CVE-2023-1283 Code Injection in GitHub repository builderio/qwik prior to 0.21.0.
//generated//
Missing Code (in 'reviveValues()'s) to Format Sanitize deserialization of object with code (value === UNDEFINED_PREFIX) Stored (serialized object) in Codebase (packages/qwik/src/core/container/resume.ts#L234) Local leads to Source Code Injection ((cross site scripting -- XSS))
. If exploited this can lead to ACE (RCE) (everything could be lost).
vendor:product: builder:qwik |
Class | Definition |
DVL | Data Validation (DVL) class – Data are validated (syntax check) or sanitized (escape, filter, repair) improperly. |
Operation | Definition |
Sanitize | Sanitize operation – Modify data (neutralize/escape, filter/remove, repair/add symbols) to make it valid (well-formed). |
Cause/Consequence | Definition |
Code Bug | Code Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability. |
Missing Code | Missing Code bug - The operation is entirely absent. |
Injection Final Error | Injection exploitable error type – An exploitable or undefined system behavior caused by 'code separation' data validation bugs. |
Source Code Injection | Source Code Injection exploitable error – Maliciously inserted new code (incl. with <> elements) into an input used as a part of an executing application code. |
Operation Attribute | Definition |
Mechanism | Mechanism operation attribute type – Shows how the buggy/faulty operation code is performed. |
Format | Format operation attribute – The operation is via a policy based on syntax format (e.g., defined via regular expression). |
Source Code | Source Code operation attribute type – Shows where the operation with the bug or a faulty operand is in the program – in what kind of software. |
Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
Execution Space | Execution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level. |
Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
Operand Attribute | Definition |
Data State | Data State operand attribute type operand attribute – Shows where the data come from. |
Stored | Stored operand attribute – Data are from a permanent storage (e.g., file, database on a storage device); they are at rest. |