CVE-2020-7602

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
snykCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
node-prompt-here_projectnode-prompt-here
𝑥
≤ 1.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115
https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115