Description

All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-GITLOGPLUS-1315832

https://hackerone.com/reports/808942

https://www.npmjs.com/package/gitlogplus

Related Vulnerabilities

CVE-2021-33040 Vulnerability in npm package epubjs

CVE-2020-28477 Vulnerability in maven package org.webjars.npm:immer

CVE-2021-41183 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

CVE-2021-21306 Vulnerability in maven package org.webjars.npm:marked

CVE-2022-21680 Vulnerability in npm package marked

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Product