Open huntr-helper opened 4 years ago
Affected versions of this package are vulnerable to Command Injection. The options argument can be controlled by users without any sanitization.
options
var Root = require('compass-compile'); var root = new Root(); var options = { compassCommand:"touch JHU" } root.compile(options);
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
A pull request/fix has been suggested (https://github.com/quaertym/compass-compile/pull/2).
Vulnerability Description
Affected versions of this package are vulnerable to Command Injection. The
options
argument can be controlled by users without any sanitization.POC:
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/