Lucene search
GoogleOSV:GHSA-4449-HG37-77V8HistoryFeb 05, 2021 - 8:43 p.m.
Command injection in total.js
2021-02-0520:43:27
Google
osv.dev
6
0.004 Low
EPSS
Percentile
73.4%
There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.
Related
nvd
nvd
CVE-2020-28494
2021-02-02 11:15:13
cvelist
cvelist
CVE-2020-28494 Command Injection
2021-02-02 00:00:00
veracode
veracode
OS Command Injection
2021-02-03 05:11:41
github
github
Command injection in total.js
2021-02-05 20:43:27
cve
cve
CVE-2020-28494
2021-02-02 11:15:13
prion
prion
Design/Logic Flaw
2021-02-02 11:15:00
nodejs
nodejs
Command Injection
2021-02-23 02:24:40
osv
osv
CVE-2020-28494
2021-02-02 11:15:13
openvas
openvas
Total.js < 3.4.7 Multiple Vulnerabilities
2021-02-08 00:00:00