Описание
OS Command Injection in pulverizr
pulverizr through 0.7.0 allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Пакеты
pulverizr
<= 0.7.0
Отсутствует
Связанные уязвимости
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Уязвимость пакета Pulverizr пакетного менеджера NPM, позволяющая нарушителю выполнять произвольные команды