GHSA-6898-wx94-8jq8

Опубликовано: 31 авг. 2020

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Potential Command Injection in libnotify

Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify.

Untrusted input passed in the call to libnotify.notify could result in execution of shell commands. Callers may be unaware of this.

Example

var libnotify = require('libnotify') libnotify.notify('UNTRUSTED INPUT', { title: \"\" }, function () { console.log(arguments); })

Special thanks to Neal Poole for submitting the pull request to fix this issue.

Recommendation

Update to version 1.0.4 or greater

Ссылки

Пакеты

Наименование

libnotify

npm

Затронутые версииВерсия исправления

<= 1.0.3

1.0.4

EPSS

Процентиль: 83%

0.02011

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2013-7381

Дефекты

CWE-74

Связанные уязвимости

CVE-2013-7381

CVSS3: 9.8

ubuntu

почти 6 лет назад

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.

CVE-2013-7381

CVSS3: 9.8

nvd

почти 6 лет назад

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.

CVE-2013-7381

CVSS3: 9.8

msrc

3 месяца назад

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.

EPSS

Процентиль: 83%

0.02011

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2013-7381

Дефекты

CWE-74