EUVD-2020-0319

Malware in sbrugna...

CVE-2019-15597

An RCE attack was found in node-df, allowing an attacker to inject code via unsanitized input. The issue occurs because user input is concatenated inside a command that will be executed without verification...

@colmena/api (=0.1.0), @colmena/colmena-loopback (>=0.0.4 <=0.2.1) +57 more potentially affected by CVE-2019-15597 via node-df (>=0.1.1 <=0.1.4)

node-df NPM version =0.1.1, =0.0.4, =0.0.1, =1.1.0, =3.0.0-alpha.8, =3.0.0-alpha.1, =3.0.0-alpha.0, =0.1.0, =1.0.0, =1.30.0, =0.0.1, =1.0.0, =1.0.0, =1.1.3 and more Source cves: CVE-2019-15597 Source advisory: OSV:GHSA-WP7M-MRVF-599C...

Command Injection in node-df

All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. Recommendation No fix is currently available. Consider using an...

GHSA-WP7M-MRVF-599C Command Injection in node-df

All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. Recommendation No fix is currently available. Consider using an...

node-df code injection vulnerability

node-df is a cross-platform wrapper for Node.js. A code injection vulnerability exists in node-df version v0.1.4. The vulnerability stems from the process of constructing a code snippet from externally inputted data, where the network system or product does not properly filter special elements of...

CVE-2019-15597

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input...

CVE-2019-15597

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input...

Code injection

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input...

CVE-2019-15597

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input...

CVE-2019-15597

CVE-2019-15597 affects the Node.js wrapper package node-df (v0.1.4). The root cause is unsanitized user input being concatenated into a shell command that is executed, enabling an attacker to perform remote code execution (RCE). Several sources explicitly state that all versions are vulnerable du...

Command Injection

Overview All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. Recommendation No fix is currently available. Consider using an...

Remote Code Execution (RCE)

node-df is vulnerable to remote code execution RCE. The attack exists because it does not sanitize the user input before it was concatenated inside the command parameter for execution, allowing an attacker to inject malicious code through it...

Node.js third-party modules: [node-df] RCE via insecure command concatenation

I would like to report a RCE issue in the node-df module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: node-df version: 0.1.4 npm page: https://www.npmjs.com/package/node-df Module Description node-df abbreviation of disk free is a cross-platform...