Command Injection Affecting mock2easy package, versions *


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.4% (73rd percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-MOCK2EASY-572312
  • published 23 Jul 2020
  • disclosed 15 Jun 2020
  • credit Snyk Security Team

How to fix?

There is no fixed version for mock2easy.

Overview

Affected versions of this package are vulnerable to Command Injection a malicious user could inject commands through the _data variable:

Affected Area

    require('../server/getJsonByCurl')(mock2easy, function (error, stdout) {
      if (error) {
        return  res.json(500, error);
      }
      res.json(JSON.parse(stdout));
    }, '', _data.interfaceUrl, query, _data.cookie,_data.interfaceType);

References