Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2020-7604 Vulnerability in npm package pulverizr

Description

pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

Remediation

References

https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122

Related Vulnerabilities

CVE-2021-20087 Vulnerability in npm package jquery-deparam

CVE-2019-16728 Vulnerability in maven package org.webjars.bowergithub.cure53:dompurify

CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-kotlin-lite

CVE-2021-40110 Vulnerability in maven package org.apache.james:james-server

CVE-2017-16168 Vulnerability in npm package wffserve

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory