EUVD-2018-0333

Malware in sbrugna...

Malicious Package

Overview xpl-whereis is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

whereis npm module command execution vulnerability

The whereis npm module is a module for searching for files in Linux, it is mainly used to search for binary files, man description files, source code files, and so on. A command execution vulnerability exists in versions of the whereis npm module prior to 0.4.1. An attacker can exploit this...

browsertime (>=0.8.1 <=0.8.6), cssnow (=2.0.0) +4 more potentially affected by CVE-2018-3772 via whereis (>=0.2.1 <=0.4.0)

whereis NPM version =0.2.1, =0.8.1, =2.1.2, =0.0.1, =2.42.0-2.9.0, =3.0.0-alpha, =3.0.0-alpha-8 Source cves: CVE-2018-3772 Source advisory: OSV:GHSA-WJR4-2JGW-HMV8...

Command Injection in whereis

Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis. Recommendation Update to version 0.4.1 or later...

GHSA-WJR4-2JGW-HMV8 Command Injection in whereis

Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis. Recommendation Update to version 0.4.1 or later...

CVE-2018-3772

Concatenating unsanitized user input in the whereis npm module 0.4.1 allowed an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead...

CVE-2018-3772

CVE-2018-3772 affects the npm module “whereis” prior to 0.4.1. The vulnerability arises from concatenating unsanitized user input, enabling an attacker to execute arbitrary commands (remote code execution). The issue is explicit across multiple sources describing command injection in versions bef...

Command Injection

Overview Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - GitHub Commit 0f64e37 - GitHub Advisory...

Arbitrary Code Execution

whereis is vulnerable to arbitrary code execution attacks. The application does not properly escape the filename, which is then concatenated to the exec function, allowing a malicious user to inject and execute arbitrary code...

Node.js third-party modules: `whereis` concatenates unsanitized input into exec() command

I would like to report command injection in whereis It allows to inject arbitrary shell commands by trying to locate crafted filenames. Module module name: whereis version: 0.4.0 npm page: https://www.npmjs.com/package/whereis Module Description Simply get the first path to a bin on any system...