Description

effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

Remediation

References

https://github.com/Javascipt/effect/blob/master/helper.js#L24%2C

https://snyk.io/vuln/SNYK-JS-EFFECT-564256

Related Vulnerabilities

CVE-2020-19697 Vulnerability in maven package org.webjars.bower:editor.md

CVE-2016-3081 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-16008 Vulnerability in npm package i18next

CVE-2023-45648 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-27095 Vulnerability in maven package cn.hippo4j:hippo4j-core

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory