GHSA-wq7q-5v6j-xfv6

Опубликовано: 07 мая 2021

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Command Injection in picotts

This affects all versions up to and including version 0.1.1 of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Ссылки

Пакеты

Наименование

picotts

npm

Затронутые версииВерсия исправления

<= 0.1.1

Отсутствует

EPSS

Процентиль: 69%

0.00612

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2021-23378

Дефекты

CWE-77

Связанные уязвимости

CVE-2021-23378

CVSS3: 9.8

nvd

почти 5 лет назад

This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

EPSS

Процентиль: 69%

0.00612

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2021-23378

Дефекты

CWE-77