GHSA-M4VV-P6FQ-JHQP Directory Traversal in @vivaxy/here

The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This...

Command Injection in quobject/aws-cli-js

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js var awsCli = require"aws-cli-js"; var Options = awsCli.Options; var Aws =...

Code Injection in mateodelnorte/meta-git

Description The meta-git module is vulnerable against command injection since the user-supplied inputs are concatenated with a command which is executed without validation. POC 1. Create a new directory and insert some test files: bash mkdir tests cd tests touch test touch secret touch files 2...