Full title: Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution Exploit 
Category: remote exploits
Platform: multiple
This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character so that we hit the match on the regex.

# 0day.today @ http://0day.today/