GHSA-2877-693q-pj33

Suggest an improvement
Source
https://github.com/advisories/GHSA-2877-693q-pj33
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2877-693q-pj33/GHSA-2877-693q-pj33.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2877-693q-pj33
Aliases
Published
2022-03-07T00:00:40Z
Modified
2023-11-01T04:56:59.671249Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OS Command Injection in GenieACS
Details

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

Database specific 
{
    "github_reviewed_at": "2022-03-07T20:11:56Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": "2022-03-06T07:15:00Z"
}
References

Affected packages

npm / genieacs

Package

Name
genieacs
View open source insights on deps.dev
Purl
pkg:npm/genieacs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.8