Potential Command Injection

Affecting libnotify package, versions <= 1.0.3

Do your applications use this vulnerable package? Test your applications

Overview

Untrusted input passed in the call to libnotify.notify could result in execution of shell commands. Callers may be unaware of this.

Source: Node Security Project

Details

Example:

var libnotify = require('libnotify')
libnotify.notify('UNTRUSTED INPUT', { title: \"\" }, function () {
    console.log(arguments);
})

References

Special thanks to Neal Poole for submitting the pull request to fix this issue.

Snyk patch available for versions:

CVSS Score

7.6
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Credit
Adam Baldwin
CVE
CVE-2013-7381
CWE
CWE-77
Snyk ID
npm:libnotify:20130515
Disclosed
15 May, 2013
Published
15 May, 2013