Description

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Related Vulnerabilities

CVE-2023-45133 Vulnerability in maven package org.webjars.npm:babel__traverse

CVE-2021-4329 Vulnerability in maven package org.webjars.npm:json-logic-js

CVE-2022-36090 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2023-47321 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web

CVE-2023-47320 Vulnerability in maven package org.silverpeas.core:silverpeas-core-war

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory