Headline
CVE-2022-24431: Snyk Vulnerability Database | Snyk
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
- Snyk ID SNYK-JS-ABACUSEXTCMDLINE-3157950
- published 20 Dec 2022
- disclosed 6 Dec 2022
- credit JHU System Security Lab
How to fix?
There is no fixed version for abacus-ext-cmdline.
Overview
Affected versions of this package are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
PoC
var root =require("abacus-ext-cmdline")
root.execute('"& touch JHU &"')Related news
GHSA-m5v8-wpw4-rj3x: abacus-ext-cmdline vulnerable to Command Injection
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.