Описание
Command Execution in windows-cpu
Version of windows-cpu before 0.1.5 will execute arbitrary code passed into the first argument of the findLoad method, resulting in remote code execution.
Proof of Concept
var win = require('windows-cpu');
wind.findLoad('foo & calc.exe');
Recommendation
Update to version 0.1.5 or later.
Пакеты
Наименование
windows-cpu
npm
Затронутые версииВерсия исправления
< 0.1.5
0.1.5
Связанные уязвимости
CVSS3: 9.8
nvd
около 8 лет назад
npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user