GHSA-jx6q-fq9h-6g7q

Suggest an improvement
Source
https://github.com/advisories/GHSA-jx6q-fq9h-6g7q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-jx6q-fq9h-6g7q/GHSA-jx6q-fq9h-6g7q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jx6q-fq9h-6g7q
Aliases
Published
2023-12-19T15:30:29Z
Modified
2023-12-28T21:04:50Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Pedroetb TTS-API OS Command Injection
Details

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability.

Database specific 
{
    "nvd_published_at": "2023-12-19T13:15:43Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-19T20:53:24Z"
}
References

Affected packages

npm / tts-api

Package

Name
tts-api
View open source insights on deps.dev
Purl
pkg:npm/tts-api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.0