Code injection in kill-process-by-name

2021-03-19T21:19:18
ID GHSA-QC65-CGVR-93P6
Type github
Reporter GitHub Advisory Database
Modified 2021-03-25T00:17:45

Description

This affects all versions of package kill-process-by-name. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file.