Cris_Semmle

**Name of the Vulnerable Software and Affected Versions** morgan versions prior to 1.9.1 **Description** The issue allows an attacker to inject arbitrary commands. This can occur when user input is allowed into the filter or combined with a prototype pollution attack. **Recommendations** For versions prior to 1.9.1, update to version 1.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** kill-port versions prior to 1.3.2 **Description** The issue allows an attacker to inject arbitrary OS commands due to the usage of the exec function in a third-party module. This is possible because the package does not validate user input on the `kill` function, which may allow attackers to run arbitrary commands in the system if user input, such as the port number, is passed directly to the function. **Recommendations** Upgrade to version 1.3.2 or later. As a temporary workaround, consider restricting the use of the `kill` function in the `kill-port` module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** mpath versions prior to 0.5.1 **Description** A prototype pollution issue allows an attacker to inject arbitrary properties onto `Object.prototype` given certain input to `mpath`. This results in the added or modified properties being present on all objects. **Recommendations** Update to version 0.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** libnmapp versions prior to 0.4.16 libnmap versions prior to 0.4.16 **Description** A command injection issue allows arbitrary commands to be executed via arguments to the range options. This can be exploited by passing malicious input to the `range` option, potentially leading to unauthorized command execution. **Recommendations** For libnmapp versions prior to 0.4.16, update to version 0.4.16 or later. For libnmap versions prior to 0.4.16, update to version 0.4.16 or later. As a temporary workaround, consider restricting the use of the `range` option to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ps versions prior to 1.0.0 **Description** A command injection issue in the ps package for Node.js allows arbitrary commands to be executed when an attacker controls the PID. This can be exploited by manipulating the `pid` variable in the `lookup` function, enabling the execution of malicious commands. For instance, an attacker could use the `pid` variable to execute a command like `$(touch success.txt)`, resulting in the creation of a file named success.txt on the filesystem. **Recommendations** Update to version 1.0.0 or later. As a temporary workaround, consider restricting the use of the `lookup` function with user-controlled input until a patch is applied. Avoid using the `pid` variable in the `lookup` function with untrusted input to minimize the risk of exploitation.