Maxnikulin

Name of the Vulnerable Software and Affected Versions: sync-exec versions prior to 0.11.9 Description: The issue allows an attacker with low privileges on the server to potentially obtain confidential information from the buffer/tmp file used by the sync-exec module. This is because the tmp directory, where the buffer files are stored, has world-readable permissions, making it accessible to other users on the system. Recommendations: For sync-exec versions prior to 0.11.9, update to Node.js v0.12.0 or later and migrate all uses of sync-exec to child process.execSync().