104 matches found
OS Command Injection in node-prompt-here
node-prompt-here through 1.0.1 allows execution of arbitrary commands. The runCommand is called by getDevices function in file linux/manager.js, which is required by the index. process.env.NMCLI in the file linux/manager.js. This function is used to construct the argument of function execSync,...
total.js Remote Code Execution Vulnerability
total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution RCE via set. PoC js // To be ru...
Command Injection
gitlog is vulnerable to command injection. The vulnerability exists through the value of branch where unsanitized inputs are sent to the execSync function...
Command Injection in @graphql-tools/git-loader
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...
GHSA-VHHW-XJVF-WPRR Command Injection in @graphql-tools/git-loader
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...
CVE-2021-23326 Command Injection
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...
Command Injection in npm-git-publish
All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...
GHSA-49MG-94FC-2FX6 Command Injection in npm-git-publish
All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...
Remote Code Execution in mongodb-query-parser
Versions of mongodb-query-parser prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes touch test-file: 'function return clearImmediate.constructor"return...
OS Command Injection
extra-ffmpeg is vulnerable to OS command injection. A user input parameter is passed to the function execSync without any validation or sanitization...
OS Command Injection
devcert is vulnerable to remote code execution RCE. It is possible because it does not validate the user-provided string-concatenated input to the run command in utils.js, which is subsequently passed to execSync, leading to execution of malicious commands...
OS Command Injection
logkitty is vulnerable to OS Command Injection. The vulnerability exists as the variable adbPath is not sanitized and can reach execSync...
CVE-2020-7602
node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...
CVE-2020-7602
node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...
CVE-2020-7602
node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand" is called by "getDevices" function in file "linux/manager.js", which is required by the "index. process.env.NMCLI" in the file "linux/manager.js". This function is used to construct the argument of function...
OS Command Injection
network-manager is vulnerable to OS command injection. The vulnerability exists as the unsanitized value of index.process.env.NMCLI in linux/manager.js, used by getDevices in linux/manager.js, reaches childprocess.execSync through runCommand...
CVE-2019-10786
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync" argument...
CVE-2019-10786
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync" argument...
CVE-2019-10786
CVE-2019-10786 concerns the network-manager module (through 1.0.2). The vulnerability arises from improper validation of user-supplied input in execSync usage, enabling remote attackers to run arbitrary commands via the execSync argument (examples and PoC show NM_CLI-driven command execution). Af...
Command Injection
Overview All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...