Command Injection in @graphql-tools/git-loader

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...

GHSA-VHHW-XJVF-WPRR Command Injection in @graphql-tools/git-loader

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...

CVE-2021-23326 Command Injection

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...

GHSA-49MG-94FC-2FX6 Command Injection in npm-git-publish

All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...

Command Injection in npm-git-publish

All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...

Remote Code Execution in mongodb-query-parser

Versions of mongodb-query-parser prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes touch test-file: 'function return clearImmediate.constructor"return...

OS Command Injection

extra-ffmpeg is vulnerable to OS command injection. A user input parameter is passed to the function execSync without any validation or sanitization...

OS Command Injection

devcert is vulnerable to remote code execution RCE. It is possible because it does not validate the user-provided string-concatenated input to the run command in utils.js, which is subsequently passed to execSync, leading to execution of malicious commands...

OS Command Injection

logkitty is vulnerable to OS Command Injection. The vulnerability exists as the variable adbPath is not sanitized and can reach execSync...

CVE-2020-7602

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...

CVE-2020-7602

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...

CVE-2020-7602

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...

OS Command Injection

network-manager is vulnerable to OS command injection. The vulnerability exists as the unsanitized value of index.process.env.NMCLI in linux/manager.js, used by getDevices in linux/manager.js, reaches childprocess.execSync through runCommand...

CVE-2019-10786

network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync" argument...

CVE-2019-10786

network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync" argument...

CVE-2019-10786

CVE-2019-10786 concerns the network-manager module (through 1.0.2). The vulnerability arises from improper validation of user-supplied input in execSync usage, enabling remote attackers to run arbitrary commands via the execSync argument (examples and PoC show NM_CLI-driven command execution). Af...

Command Injection

Overview All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...

Arbitrary Command Injection

npm-git-publish is vulnerable to arbitrary command injection. The vulnerability exists as gitRemoteUrl and gitRepoDir in lib/publish.ts are not sanitized, and are passed to execSync as a value to be executed...

Remote Code Execution Vulnerability in NPM mongo-express

Impact Remote code execution on the host machine by any authenticated user. Proof Of Concept Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator: javascript this.constructor.constructor"return...

GHSA-38H8-X697-GH8Q Tmp files readable by other users in sync-exec

Affected versions of sync-exec use files located in /tmp/ to buffer command results before returning values. As /tmp/ is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via sync-exec under a higher privilege...