Unauthenticated Remote Command Injection
Affecting ep_imageconvert package, versions <=0.0.2
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection.
Authentication is not required for remote exploitation.
Source: Node Security Project
Remediation
Update to version 0.0.3 or greater.
References
Snyk patch available for versions:
- <=0.0.2
View patch
View patch
CVSS Score
8.2
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityLow
-
AvailabilityNone
- Credit
- Neal Poole
- CVE
- CVE-2013-3364 CVE-2013-7380
- CWE
- CWE-77
- Snyk ID
- npm:ep_imageconvert:20130506
- Disclosed
- 06 May, 2013
- Published
- 06 May, 2013