185 matches found
Command Injection in ps-visitor
This affects all versions up to and including version 0.0.2 of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Command Injection in picotts
This affects all versions up to and including version 0.1.1 of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
OS Command Injection
git-parse is vulnerable to OS command injection. Untrusted input in gitDiff is passed into an exec function without validation, allowing an attacker to execute arbitrary OS commands on the host OS...
Command Injection in ffmpegdotjs
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Design/Logic Flaw
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'setcommandon' and 'setcommandoff' POST parameters in...
CVE-2020-22000
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'setcommandon' and 'setcommandoff' POST parameters in...
CVE-2020-22000
CVE-2020-22000 affects HomeAutomation 3.3.2. An authenticated OS command execution vulnerability exists in the customcommand v0.1 plugin, exploitable via CSRF to run arbitrary shell commands as the web user through unsanitized PHP exec() calls in /system/systemplugins/customcommand/customcommand....
Arbitrary Command Execution
ffmpegdotjs is vulnerable to arbitrary command execution. Untrusted user input is passed into the trimvideo function and subsequently parsed in exec function. This allows an attacker to execute arbitrary commands on the host OS...
CVE-2021-23374
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Input validation
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Design/Logic Flaw
This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input...
CVE-2021-23376 Arbitrary Command Injection
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
GHSA-MM4F-47CH-F7HX Arbitrary code execution in kill-by-port
This affects the package kill-by-port before 0.0.2. If attacker-controlled user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
OS Command Injection in rpi
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization...
GHSA-2548-Q746-X5X6 Code injection in port-killer
This affects all versions of package port-killer. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization. Running this PoC will cause the command touch success to be...
GHSA-WHQ6-MJ2R-MJQC OS Command Injection in lsof
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input...
OS Command Injection in lsof
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input...
OS Command Injection in im-metadata
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function...
Command Injection in killport
This affects the package killport before 1.0.2. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization. Running this PoC will cause the command touch success to be...
CVE-2021-23348
This affects the package portprocesses before 1.0.5. If attacker-controlled user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...