Command Injection

Affecting node-notifier package, versions <5.4.5 || >=8.0.0 <8.0.2 || >=9.0.0 <9.0.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Remediation

Upgrade node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Alessio Della Libera (d3lla)
CVE
CVE-2020-7789
CWE
CWE-78
Snyk ID
SNYK-JS-NODENOTIFIER-1035794
Disclosed
04 Nov, 2020
Published
13 Dec, 2020