admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-05-08 11:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2020/CVE-2020-7604.md

19 lines
926 B
Markdown
Raw Normal View History

Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
### [CVE-2020-7604](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7604)
![](https://img.shields.io/static/v1?label=Product&message=pulverizr&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Command%20Injection&color=brighgreen)
### Description
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
### POC
#### Reference
- https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122
Update CVE sources 2024-06-09 00:33
2024-06-09 00:33:16 +00:00
- https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122
Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
#### Github
No PoCs found on GitHub currently.
Reference in New Issue Copy Permalink