Описание
Remote Code Execution in pi_video_recording
All versions of pi_video_recording are vulnerable to Remote Code Execution. Due to insufficient input validation the server executes arbitrary code through the /api/record/start endpoint. After running the server, curl -POST -H "Content-Type: application/json" -d '{"filename": " || touch /tmp/worked;"}' http://localhost:5000/api/record/startcreates a file in the /tmp/ directory
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
Пакеты
Наименование
pi_video_recording
npm
Затронутые версииВерсия исправления
Отсутствует
Дефекты
CWE-20
Дефекты
CWE-20