Описание
Command injection in mversion
Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Patches
Patched by version 2.0.0. Previous releases are deprecated in npm.
Workarounds
Make sure to escape git commit messages when using the commitMessage option for the update function.
Пакеты
Наименование
mversion
npm
Затронутые версииВерсия исправления
< 2.0.0
2.0.0
Связанные уязвимости
CVSS3: 7.3
nvd
больше 5 лет назад
In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in npm. As a workaround, make sure to escape git commit messages when using the commitMessage option for the update function.