Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24377: Snyk Vulnerability Database | Snyk

The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

CVE
Open in Source
#vulnerability#js

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

  • Snyk ID SNYK-JS-CYCLEIMPORTCHECK-3157955
  • published 13 Dec 2022
  • disclosed 6 Dec 2022
  • credit Mingqing Kang

How to fix?

Upgrade cycle-import-check to version 1.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

PoC

var root = require("cycle-import-check")
root.writeFileToTmpDirAndOpenIt("& touch JHU ", "aaa")

Related news

GHSA-995x-33wq-8gc9: cycle-import-check vulnerable to Command Injection

The package cycle-import-check before version 1.3.2 is vulnerable to Command Injection via the `writeFileToTmpDirAndOpenIt` function due to improper user-input sanitization.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE