Arbitrary Command Execution in node-prompt-here (<=1.0.1)

Arbitrary Command Execution in node-prompt-here (<=1.0.1)

CVE-2020-7602 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Learn more about our Cis Benchmark Audit For Distribution Independent Linux.