arbitrary code execution #1
Description
less.js is vulnerable to arbitrary code execution. An attacker can execute arbitrary shell command during compilation by passing less code that contains malicious embedded JavaScript code to the compiler. This vulnerability can be exploited in various scenarios. 1) An application takes user-input and feeds it to the less compiler. In this case an attacker can compromise the system. 2) A user downloads and compiles a malicious LESS file. These situtations allow a malicious user to compromise the user's system.
The Fix
This vulnerability is in a direct dependency. Vulnerable library less was found in package.json It can be fixed by updating the version of the library in your project and rebuilding it.
To update your package.json file, run the following command
npm install less@3.0.0-pre.1 --save
package.json
"dependencies": {
···
− "less": "2.7.1",
+ "less": "3.0.0-pre.1",
···
}