Arbitrary Command Execution in Deprecated `whereis` npm Module

Arbitrary Command Execution in Deprecated `whereis` npm Module

CVE-2018-3772 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.

Learn more about our User Device Pen Test.