Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

huntr.dev - Code Injection #69

Open
@huntr-helper

Description

@huntr-helper

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. The spawn function receives the _executableShell variable, which is the /bin/sh command. This could result in any command, even if the function is written correctly, leading to RCE.

The issue arises here:

https://github.com/mattijs/node-rsync/blob/master/rsync.js#L506

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions