GHSA-pm52-wwrw-c282 – wiki-plugin-datalog

Package

Manager: npm
Name: wiki-plugin-datalog
Vulnerable Version: >=0 <0.1.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Command Injection in wiki-plugin-datalog Versions of `wiki-plugin-datalog` prior to 0.1.6 are vulnerable to Command Injection. The package failed to sanitize URLs on the curl endpoint, allowing attackers to inject commands and possibly achieving Remote Code Execution on the system. ## Recommendation Upgrade to version 0.1.6 or later.

Metadata

Created: 2019-06-13T18:59:06Z
Modified: 2021-08-16T14:32:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-pm52-wwrw-c282/GHSA-pm52-wwrw-c282.json
CWE IDs: ["CWE-94"]
Alternative ID: N/A
Finding: F422
Auto approve: 1