Описание
Command Injection in node-df
All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Пакеты
Наименование
node-df
npm
Затронутые версииВерсия исправления
<= 0.1.4
Отсутствует
Связанные уязвимости
CVSS3: 8.8
redhat
около 6 лет назад
A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.
CVSS3: 9.8
nvd
около 6 лет назад
A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.