CWE-78

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl’s parameters to overwrite Javascript files and then execute any OS commands.

The issue occurs because tagName user input is formatted inside the exec function is executed without any checks.

This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized.

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.

pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of ‘pomelo-monitor’ params.