Unauthenticated Remote Command Injection

Affecting ep_imageconvert package, versions <=0.0.2

Do your applications use this vulnerable package? Test your applications

Overview

ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection.

Authentication is not required for remote exploitation.

Source: Node Security Project

Remediation

Update to version 0.0.3 or greater.

References

Snyk patch available for versions:

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Credit
Neal Poole
CVE
CVE-2013-3364 CVE-2013-7380
CWE
CWE-77
Snyk ID
npm:ep_imageconvert:20130506
Disclosed
06 May, 2013
Published
06 May, 2013