Potential Command Injection in hubot-scripts

2020-08-31T22:46:38
ID GHSA-HWCH-749C-RV63
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T22:46:38

Description

Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module.

Mitigating Factors

The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts.

Recommendation

Update hubot-scripts to version 2.4.4 or later.