@bionicmetrics/bionic (>=1.2.0 <=1.3.6), @smoosee/wakemeup (>=1.0.9 <=1.20.0) +7 more potentially affected by CVE-2020-7627 via node-key-sender (=1.0.11)

node-key-sender NPM version =1.0.11 is affected by a known vulnerability. The following packages have a transitive dependency on node-key-sender and may be impacted: - @bionicmetrics/bionic =1.2.0, =1.0.9, =1.5.0, =0.0.1, =1.0.0, =1.0.5, =1.2.1, =1.1.0, =2.2.0 Source cves: CVE-2020-7627 Source...

OS Command Injection in node-key-sender

node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...

hivex: Buffer overflow when provided invalid node key length

A flaw was found in the hivex library. It is caused due to a lack of bounds check within the hivexopen function. An attacker could input a specially crafted Windows Registry hive file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat...

CVE-2021-21296 Denial-of-service in Fleet

Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the...

OS Command Injection

node-key-sender is vulnerable to OS command injection. The vulnerability exists through the unsanitized value of arrParams used in exec...

node-key-sender command injection vulnerability

node-key-sender is a module that sends keyboard events to the operating system. A command injection vulnerability exists in node-key-sender 1.0.11 and earlier. An attacker can exploit this vulnerability to execute arbitrary commands via the 'arrParams' parameter in the 'execute' function...

CVE-2020-7627

node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...

CVE-2020-7627

node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...

Command injection

node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...

CVE-2020-7627

The CVE refers to the npm module node-key-sender (versions up to 1.0.11 and earlier). The root cause is a Command Injection in the function that uses the arrParams argument of the execute() method, allowing execution of arbitrary commands. Multiple connected sources (Red Hat, Snyk, Veracode, CNVD...

CVE-2020-7627

node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...

@bionicmetrics/bionic (>=1.2.0 <=1.3.6), @smoosee/wakemeup (>=1.0.9 <=1.20.0) +8 more potentially affected by CVE-2020-7627 via node-key-sender (>=1.0.11 <=1.0.9)

node-key-sender NPM version =1.0.11, =1.2.0, =1.0.9, =1.5.0, =0.0.1, =1.0.0, =1.0.5, =0.9.0, =1.2.1, =1.1.0, =2.2.0 Source cves: CVE-2020-7627 Source advisory: SNYK:JS-NODEKEYSENDER-564261...

Command Injection

Overview node-key-sender is a module that send keyboard events to the operational system. Affected versions of this package are vulnerable to Command Injection. The argument arrParams in function execute can be controlled by users without any sanitization. PoC var root = require"node-key-sender";...