Description
This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Remediation
References
https://snyk.io/vuln/SNYK-JS-WINCRED-1078538
https://github.com/rolangom/wincred/blob/3fd39186ee32add9c12046cdccf2765d19565335/index.ts%23L20
Related Vulnerabilities
CVE-2019-17558 Vulnerability in maven package org.apache.solr:solr-velocity
CVE-2022-31129 Vulnerability in maven package org.webjars:momentjs
CVE-2020-7755 Vulnerability in npm package dat.gui
CVE-2021-39152 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-38695 Vulnerability in npm package @simonsmith/cypress-image-snapshot