GHSA-6898-wx94-8jq8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6898-wx94-8jq8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-6898-wx94-8jq8/GHSA-6898-wx94-8jq8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6898-wx94-8jq8
- Aliases
-
- CVE-2013-7381
- Published
- 2020-08-31T22:50:48Z
- Modified
- 2023-11-08T03:57:29.118083Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Potential Command Injection in libnotify
- Details
-
Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify.
Untrusted input passed in the call to libnotify.notify could result in execution of shell commands. Callers may be unaware of this.
Example
var libnotify = require('libnotify') libnotify.notify('UNTRUSTED INPUT', { title: \"\" }, function () { console.log(arguments); })Special thanks to Neal Poole for submitting the pull request to fix this issue.
Recommendation
Update to version 1.0.4 or greater
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-08-31T18:08:04Z", "github_reviewed": true, "severity": "CRITICAL", "cwe_ids": [ "CWE-74" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-7381
- https://github.com/mytrile/node-libnotify/commit/dfe7801d73a0dda10663a0ff3d0ec8b4d5f0d448
- https://github.com/mytrile/node-libnotify
- https://www.npmjs.com/advisories/20
- http://www.openwall.com/lists/oss-security/2014/05/13/1
- http://www.openwall.com/lists/oss-security/2014/05/15/2
Affected packages
npm / libnotify
Package
- Name
- libnotify
- View open source insights on deps.dev
- Purl
- pkg:npm/libnotify