Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo2djkteGd2aC1mNzk2

Command Injection in wxchangba

All versions of wxchangba are vulnerable to Command Injection. The package does not validate user input on the reqPostMaterial function, passing contents of the file parameter to an exec call. This may allow attackers to run arbitrary commands in the system.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Permalink: https://github.com/advisories/GHSA-j6v9-xgvh-f796
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo2djkteGd2aC1mNzk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-j6v9-xgvh-f796
References:

Blast Radius: 0.0

Affected Packages

npm:wxchangba

Dependent packages: 0
Dependent repositories: 1
Downloads: 2 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.3