This repository was archived by the owner on Jul 11, 2023. It is now read-only.
This repository was archived by the owner on Jul 11, 2023. It is now read-only.
huntr.dev - Code Injection #69
Open
Description
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Vulnerability Description
Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command
that will be executed without any checks. The spawn
function receives the _executableShell
variable, which is the /bin/sh
command. This could result in any command, even if the function is written correctly, leading to RCE
.
The issue arises here:
https://github.com/mattijs/node-rsync/blob/master/rsync.js#L506
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
Metadata
Metadata
Assignees
Labels
No labels