700 matches found
PHP-FPM logs from children may be altered
...
CVE-2024-21532
The CVE-2024-21532 issue affects the npm package ggit. Affected versions allow Command Injection via fetchTags(branch): user input specifies the branch, which is concatenated into a git command that is passed to Node.js child_process.exec(), enabling potentially arbitrary commands. Root cause is ...
CVE-2024-21532
All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...
CVE-2024-21532
All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...
CVE-2024-44623
An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the childprocess.js function...
SPX Graphics Controller 安全漏洞
SPX Graphics Controller is a graphics controller by Tuomo Kulomaa Personal Developer. Manage and control HTML graphics in real-time productions. A security vulnerability exists in SPX Graphics Controller version v.1.3.0 and earlier versions. A remote attacker can exploit this vulnerability to...
Exploit for Code Injection in Spx Spx_Graphics_Controller
CVE-2024-44623 In SPX-GC...
UBUNTU-CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...
CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...
CVE-2024-36138
CVE-2024-36138 is a chain-vulnerability tied to Node.js: it bypasses the incomplete fix for CVE-2024-27980, exploiting improper handling of batch files on Windows via child_process.spawn/spawnSync. This can allow a malicious command line argument to inject commands and achieve code execution even...
CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...
CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...
SUSE-SU-2024:2496-1 Security update for nodejs18
This update for nodejs18 fixes the following issues: Update to 18.20.4: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass bsc1227560 - CVE-2024-22020: Fixed a bypass of network import restriction via data URL bsc1227554 Changes in 18.20.3: - This release fixes a regression introduced in Node.js...
SUSE CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...
Improper Control of Generation of Code ('Code Injection')
Overview Affected versions of this package are vulnerable to Improper Control of Generation of Code 'Code Injection'. This is due to a bypass of CVE-2024-27980. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Note...
SUSE CVE-2024-27980
Due to the improper handling of batch files in childprocess.spawn / childprocess.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled...
Improper Control of Generation of Code ('Code Injection')
Overview Affected versions of this package are vulnerable to Improper Control of Generation of Code 'Code Injection' due to the improper handling of batch files in childprocess.spawn or childprocess.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell...
vm2 - Sandbox Escape Exploit
/ Exploit Title: vm2 Sandbox Escape vulnerability Exploit Author: Calil Khalil & Adriel Mc Roberts Vendor Homepage: https://github.com/patriksimek/vm2 Software Link: https://github.com/patriksimek/vm2 Version: vm2 = 3.9.19 Tested on: Ubuntu 22.04 CVE : CVE-2023-37466 / const VM = require"vm2";...
Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass
Summary Use of raw file descriptors in opnodeipcpipe leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Details Node childprocess IPC relies on the JS side to pass the raw IPC file descript...
GHSA-VVH2-82C7-PPFG network Arbitrary Command Injection vulnerability
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the childprocess exec function without input sanitization. If attacker-controlled user input is given to the macaddressfor function of the package, it is possible for an attacker to execute...