|Very easy to exploit|
|(other affected products)||Published: Mon Jun 28 12:15:00 2021 UTC. Last Modified: Fri Jul 2 13:19:00 2021 UTC|
CPE matches: cpe:2.3:a:narou_project:narou:*:*:*:*:*:*:*:* && versionEndExcluding=3.8.0
Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.
- Complete loss of protection.
- Access to all information.
- Full Denial Of Service (DoS).
- Remote attacking is possible through the network and can be done by anyone (requires no authentication).
- No user interaction is required.
- The attack is estimated to have a high success rate, once attempted.
Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSSv3)
Type of bug(s)
- CWE-94, Improper Control of Generation of Code ('Code Injection'): The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.