Vulnerabilities

 1 via 5 paths

Dependencies

 70

Source

 GitHub

Commit

 3230c4f3

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: seneca@3.32.1

Detailed paths

  • Introduced through: @seneca/srv-admin@voxgig/seneca-srv-admin#3230c4f3ee4982d0211f2f6214d1db8c66435fff seneca@3.32.1 eraro@2.1.0 lodash.template@4.5.0
  • Introduced through: @seneca/srv-admin@voxgig/seneca-srv-admin#3230c4f3ee4982d0211f2f6214d1db8c66435fff seneca@3.32.1 norma@3.0.0 eraro@2.1.0 lodash.template@4.5.0
  • Introduced through: @seneca/srv-admin@voxgig/seneca-srv-admin#3230c4f3ee4982d0211f2f6214d1db8c66435fff seneca@3.32.1 seneca-transport@8.0.0 eraro@2.1.0 lodash.template@4.5.0
  • Introduced through: @seneca/srv-admin@voxgig/seneca-srv-admin#3230c4f3ee4982d0211f2f6214d1db8c66435fff seneca@3.32.1 use-plugin@9.1.0 eraro@2.1.0 lodash.template@4.5.0
  • Introduced through: @seneca/srv-admin@voxgig/seneca-srv-admin#3230c4f3ee4982d0211f2f6214d1db8c66435fff seneca@3.32.1 use-plugin@9.1.0 norma@2.0.2 eraro@2.1.0 lodash.template@4.5.0

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

Command Injection vulnerability report