Описание
Command Injection in wizard-syncronizer
All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack since the package does not enforce HTTPS. This may allow attackers to run arbitrary commands in the system.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
Пакеты
Наименование
wizard-syncronizer
npm
Затронутые версииВерсия исправления
>= 0.0.0
Отсутствует
Дефекты
CWE-79
Дефекты
CWE-79