Command Injection in addax

2020-09-03T02:40:51
ID GHSA-4Q8F-5XXJ-946R
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T02:40:51

Description

Versions of addax prior to 1.1.0 are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.1.0 or later.