Skip to content
This repository has been archived by the owner on Aug 24, 2021. It is now read-only.

Arbitrary Code Injection #305

Open
larrycameron80 opened this issue Sep 17, 2019 · 0 comments
Open

Arbitrary Code Injection #305

larrycameron80 opened this issue Sep 17, 2019 · 0 comments

Comments

@larrycameron80
Copy link

Arbitrary Code Injection
Vulnerable module: growl
Introduced through: [email protected]
Detailed paths
Introduced through: multisig-wallet-gnosis@gnosis/MultiSigWallet#584b7bc2aed581be740cd17aacd8f4f01a3e6cd1 › [email protected][email protected][email protected]
Remediation: Upgrade to [email protected].
Overview
growl is a package adding Growl support for Nodejs.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@larrycameron80