Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm...