Base Score

LOW3.5

CVE-2016-10538

The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

VectorNETWORK

Published Bysupport@hackerone.com

Published DateMay 31, 2018, 20:29

Affected Versions(1)

cli(npm)

Introduced0

Fixed1.0.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
cli(npm)	0	1.0.0	N/A

Weakness Type (CWE):CWE-362

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

LOW3.5

Weakness Type (CWE):CWE-362

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE