CVE-2021-23412 – gitlogplus

Package

Manager: npm
Name: gitlogplus
Vulnerable Version: >=0 <=3.1.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03916 pctl0.8784

Details

Command injection in gitlogplus All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

Metadata

Created: 2021-07-26T21:23:35Z
Modified: 2021-08-03T18:58:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-3fxp-vwxm-2r5p/GHSA-3fxp-vwxm-2r5p.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-3fxp-vwxm-2r5p
Finding: F422
Auto approve: 1