CVE-2020-7602

Published: Mar 15, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Affected (1)

Products: Node Prompt Here Project: Node Prompt Here

Node Prompt Here Project

1 product

Node Prompt Here

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Node Prompt Here Project Node Prompt Here	Up to 1.0.1

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Source: report@snyk.io

ExploitThird Party Advisory

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.