4 matches found
CodeceptJS's incomprehensive sanitation can lead to Command Injection
CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function lib/utils.js. The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary...
Malicious code in @crypto-lib/utils (npm)
The package @crypto-lib/utils was found to contain malicious code...
Prototype Pollution
Overview mquery is an Expressive query building for MongoDB Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. PoC...
Command Injection
Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Command Injection via the lib/utils.js file, which is required by main entry of the package. Note: CVE-2020-28432 has been retracted because it was found to be invalid. Further investigatio...