CVE-2020-10800: 
JavaScript vulnerability analysis and mitigation

CVE-2020-10800 affects lix through version 15.8.7, allowing man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream. The vulnerability specifically involves manipulation of the Location header to associate it with attacker-controlled executable content in the postDownload field. This vulnerability was disclosed on March 21, 2020 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The package accepts downloads with HTTP and follows location header redirects for package downloads, which enables attackers in privileged network positions to intercept package installations and redirect downloads to malicious sources (GitHub Advisory).

The vulnerability allows attackers to potentially execute arbitrary code through manipulation of the download process. This affects confidentiality, integrity, and availability of the system, with all three aspects rated as High in the CVSS scoring. The vulnerability enables attackers to potentially compromise the entire system through package installation manipulation (NVD).

No official fix was available at the time of disclosure. Users are advised to consider using alternative packages until a fix is made available (GitHub Advisory).