Description

All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

Remediation

References

https://hackerone.com/reports/808942

https://snyk.io/vuln/SNYK-JS-GITLOGPLUS-1315832

https://www.npmjs.com/package/gitlogplus

Related Vulnerabilities

CVE-2022-25645 Vulnerability in npm package dset

CVE-2022-41853 Vulnerability in maven package org.hsqldb:hsqldb

CVE-2020-8127 Vulnerability in maven package org.webjars.bowergithub.hakimel:reveal.js

CVE-2018-11698 Vulnerability in maven package org.webjars.npm:node-sass

CVE-2021-21290 Vulnerability in maven package io.netty:netty-testsuite

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Product