CVE-2024-27980

Due to the improper handling of batch files in childprocess.spawn / childprocess.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled...

BIT-NODE-2024-36138

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option i...

SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:2542-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2542-1 advisory. Update to 18.20.4: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass bsc1227560 - CVE-2024-22020: Fixed a bypass of...

Fedora 40 : nodejs18 (2024-2c52524694)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-2c52524694 advisory. 2024-04-10, Version 18.20.2 'Hydrogen' LTS, @RafaelGSS This is a security release. Notable Changes CVE-2024-27980 - Command injection via args parameter of...

Fedora 39 : nodejs18 (2024-8d548b8c96)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-8d548b8c96 advisory. 2024-04-10, Version 18.20.2 'Hydrogen' LTS, @RafaelGSS This is a security release. Notable Changes CVE-2024-27980 - Command injection via args parameter of...

Node.js 18.x < 18.20.2 / 20.x < 20.12.2 / 21.x < 21.7.3 Command Injection Vulnerability (Wednesday, April 10, 2024 Security Releases).

The version of Node.js installed on the remote host is prior to 18.20.2, 20.12.2, 21.7.3. It is, therefore, affected by a command injection vulnerability as referenced in the Wednesday, April 10, 2024 Security Releases advisory. This is due to the improper handling of batch files in...

Node.js: Bypass incomplete fix of CVE-2024-27980

The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...

Command injection in total.js

There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...

GHSA-4449-HG37-77V8 Command injection in total.js

There is a command injection vulnerability that affects the package total.js before version 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because...

CVE-2020-28494

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

CVE-2020-28494

Summary: CVE-2020-28494 affects the total.js package (before 3.4.7). The vulnerability occurs in the image.pipe and image.stream functions where the type parameter is used to build a command that is executed via child_process.spawn with the option shell: true, and the type value is not properly s...

CVE-2020-28494 Command Injection

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is called with the option shell set to true an...

Node.js third-party modules: [diskstats] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the diskstats module. It allows to execute arbitrary commands on the victim's PC. Module module name: diskstats version: 0.0.2 npm page: https://www.npmjs.com/package/diskstats Module Description This library uses df to pull disk information suc...