Arbitrary Command Injection in samsung-remote

Do your applications use this vulnerable package? Test your applications

Overview

samsung-remote is a Module for integration of Samsung SmartTV with your NodeJS application. Tested with Samsung D6000 TV.

Affected versions of this package are vulnerable to Arbitrary Command Injection due to not sanitizing the IP address argument, and subsequently passes it to child_process.exec().

Remediation

Uograde samsung-remote to version 1.3.5 or higher.

References

GitHub Release
HackerOne Report
NPM Security Advisory

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Changed
Confidentiality

High
Integrity

High
Availability

High

Credit: Douglas Hall
CWE: CWE-264
Snyk ID: SNYK-JS-SAMSUNGREMOTE-72278
Disclosed: 02 Sep, 2018
Published: 05 Sep, 2018

Arbitrary Command Injection
Affecting samsung-remote package, versions <1.3.5

Overview

Remediation

References

CVSS Score

Arbitrary Command Injection Affecting samsung-remote package, versions <1.3.5

Overview

Remediation

References

Arbitrary Command Injection
Affecting samsung-remote package, versions <1.3.5