CVE-2018-3772

Concatenating unsanitized user input in the whereis npm module 0.4.1 allowed an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead...

Node.js third-party modules: `whereis` concatenates unsanitized input into exec() command

I would like to report command injection in whereis It allows to inject arbitrary shell commands by trying to locate crafted filenames. Module module name: whereis version: 0.4.0 npm page: https://www.npmjs.com/package/whereis Module Description Simply get the first path to a bin on any system...