GHSA-pm52-wwrw-c282

Опубликовано: 13 июн. 2019

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Command Injection in wiki-plugin-datalog

Versions of wiki-plugin-datalog prior to 0.1.6 are vulnerable to Command Injection. The package failed to sanitize URLs on the curl endpoint, allowing attackers to inject commands and possibly achieving Remote Code Execution on the system.

Recommendation

Upgrade to version 0.1.6 or later.

Ссылки

https://github.com/WardCunningham/wiki-plugin-datalog/commit/020aa6201319e5b76301a61b65268c94dc242fa7
https://snyk.io/vuln/SNYK-JS-WIKIPLUGINDATALOG-449540
https://www.npmjs.com/advisories/926

Пакеты

Наименование

wiki-plugin-datalog

npm

Затронутые версииВерсия исправления

< 0.1.6

0.1.6

6.5 Medium

CVSS3

Дефекты

CWE-94

6.5 Medium

CVSS3

Дефекты

CWE-94