Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2020-7602 Vulnerability in npm package node-prompt-here

Description

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Related Vulnerabilities

CVE-2020-11990 Vulnerability in npm package cordova-plugin-camera

CVE-2021-23331 Vulnerability in maven package com.squareup:connect

CVE-2018-16459 Vulnerability in maven package org.webjars.npm:exceljs

CVE-2021-23433 Vulnerability in npm package algoliasearch-helper

CVE-2022-35949 Vulnerability in maven package org.webjars.npm:undici

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory