web-ext@6.6.0

Vulnerabilities

1 via 1 paths

Dependencies

444

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Command Injection

  • Vulnerable module: node-notifier
  • Introduced through: node-notifier@9.0.0

Detailed paths

  • Introduced through: web-ext@6.6.0 node-notifier@9.0.0
    Remediation: Upgrade to node-notifier@9.0.1.

Overview

node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Remediation

Upgrade node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.

References