Node.js third-party modules: [commit-msg] RCE via insecure command formatting

I would like to report a RCE issue in the commit-msg module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: commit-msg version: 0.2.3 npm page: https://www.npmjs.com/package/commit-msg Module Description commit-msg is a customizable git commit message...

Node.js third-party modules: [diskstats] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the diskstats module. It allows to execute arbitrary commands on the victim's PC. Module module name: diskstats version: 0.0.2 npm page: https://www.npmjs.com/package/diskstats Module Description This library uses df to pull disk information suc...

Node.js third-party modules: [sirloin] Web Server Directory Traversal via Crafted GET Request

I would like to report path traversal in Sirloin module. It allows an attacker to read system files via path traversal local/remote Module module name: Sirloin version: 0.15.0 latest release build npm page: https://www.npmjs.com/package/sirloin Module Description This high performance, extremely...

Node.js third-party modules: [git-promise] RCE via insecure command formatting

I would like to report a RCE issue in the git-promise module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-promise version: 0.3.1 npm page: https://www.npmjs.com/package/git-promise Module Description Simple wrapper that allows you to run any git...

Node.js third-party modules: [md-fileserver] Path Traversal

I would like to report path traversal in md-fileserver modulee It allows an attacker to read system files via path traversal through commandline Module module name: md-fileserver version: 1.3.2 npm page: https://www.npmjs.com/package/md-fileserver Module Description Starts a local server to rende...

Node.js third-party modules: [http-live-simulator] Path traversal vulnerability

Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...

Node.js third-party modules: [tianma-static] Stored xss on filename

I would like to report stored xss in tianma-static It allows anyone to execute arbitary javascript for doing anything. Module module name: tianma-static version: 1.0.4 npm page: https://www.npmjs.com/package/tianma-static Module Description Provide a static file service. Vulnerability Vulnerabili...

Node.js third-party modules: [html-pages] Stored XSS in the filename when directories listing

I would like to report a Store XSS vulnerability in html-pages It allows executing malicious javascript code in the user's browser. Module module name: html-pages version: 2.1.1 npm page: https://www.npmjs.com/package/html-pages Module Description Simple development http server for file serving a...

Node.js third-party modules: `whereis` concatenates unsanitized input into exec() command

I would like to report command injection in whereis It allows to inject arbitrary shell commands by trying to locate crafted filenames. Module module name: whereis version: 0.4.0 npm page: https://www.npmjs.com/package/whereis Module Description Simply get the first path to a bin on any system...