Omnitaint

**Name of the Vulnerable Software and Affected Versions** morgan-json versions all **Description** The issue is related to Arbitrary Code Execution due to missing sanitization of input passed to the `Function` constructor. This allows for potential code execution with unintended consequences. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For morgan-json versions all, consider disabling the use of the `Function` constructor until a patch is available. Restrict input passed to this constructor to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** font-converter versions all **Description** The issue is related to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the `child process.exec()` function. This affects a FontForge wrapper used for conversion between different font formats, including TTF, WOFF, and OTF. **Recommendations** For all versions, consider disabling the use of the `child process.exec()` function until a patch is available. Restrict input to prevent potential command injection. Avoid using unsanitized input in the `font-converter` package to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** accesslog versions all **Description** The issue arises from the usage of the Function constructor without input sanitization in the package's exported constructor function. If attacker-controlled user input is given to the `format` option, it is possible for an attacker to execute arbitrary JavaScript code on the host. **Recommendations** For all versions, consider disabling the usage of the Function constructor with user-controlled input until a patch is available. Restrict access to the format option of the package's exported constructor function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wincred versions all **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the `getCredential` function. This is due to the use of the `child process` `exec` function without input sanitization, which can lead to command execution. **Recommendations** For all versions, consider disabling the `getCredential` function until a patch is available to prevent exploitation. Restrict access to the `child process` `exec` function to minimize the risk of arbitrary command execution. Avoid using the `getCredential` function with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** onion-oled-js versions prior to 0.0.3 **Description** The issue arises when attacker-controlled user input is given to the `scroll` function, allowing an attacker to execute arbitrary commands due to the use of the `child process` `exec` function without input sanitization. **Recommendations** For versions prior to 0.0.3, update to version 0.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the `scroll` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** psnode (affected versions not specified) **Description** The issue arises when attacker-controlled user input is given to the kill function, allowing an attacker to execute arbitrary commands due to the use of the child process exec function without input sanitization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ffmpegdotjs (affected versions not specified) **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the `trimvideo` function. This is due to the use of the `child process` `exec` function without input sanitization, which can lead to command execution. **Recommendations** As a temporary workaround, consider disabling the `trimvideo` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** picotts versions prior to 0.1.1 **Description** The issue arises when attacker-controlled user input is given to the `say` function, allowing an attacker to execute arbitrary commands due to the use of the `child process` `exec` function without input sanitization. **Recommendations** For versions prior to 0.1.1, as a temporary workaround, consider disabling the `say` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation. Avoid using the `say` function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** portkiller versions all **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is provided. This is caused by the use of the child process exec function without proper input sanitization. **Recommendations** For all versions, consider disabling the use of the child process exec function until a proper fix is implemented, and ensure all user input is sanitized to prevent arbitrary command execution.

**Name of the Vulnerable Software and Affected Versions** roar-pidusage (affected versions not specified) **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the `stat` function of the package on certain operating systems. This is due to the use of the `child process` `exec` function without input sanitization. **Recommendations** As a temporary workaround, consider disabling the `stat` function of the roar-pidusage package until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

[Content removed]

**Name of the Vulnerable Software and Affected Versions** ps-visitor versions prior to 0.0.3 **Description** The issue arises when attacker-controlled user input is given to the `kill` function, allowing an attacker to execute arbitrary commands due to the use of the `child process` `exec` function without input sanitization. **Recommendations** For versions prior to 0.0.3, update to version 0.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the `kill` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** portprocesses versions prior to 1.0.5 **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the `killProcess` function. This is due to the use of the `child process` `exec` function without input sanitization. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider disabling the `killProcess` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation. Avoid using unsanitized user input in the `killProcess` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** kill-by-port versions prior to 0.0.2 **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the `killByPort()` function. This is due to the use of the `child process` `exec` function without input sanitization. **Recommendations** For versions prior to 0.0.2, update to version 0.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the `killByPort()` function until a patch is available. Restrict access to the `child process` `exec` function to minimize the risk of exploitation. Avoid using the `killByPort()` function with untrusted user input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** killport versions prior to 1.0.2 **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given. This is due to the use of the child process exec function without input sanitization. For example, running a proof of concept will cause the command `touch success` to be executed, leading to the creation of a file called `success`. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of the child process exec function until a patch is available. Restrict access to user input to minimize the risk of exploitation. Avoid using unsanitized user input in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** port-killer versions all **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given. This is due to the use of the child process exec function without input sanitization. For example, running a proof of concept will cause the command `touch success` to be executed, leading to the creation of a file called `success`. **Recommendations** For all versions, consider disabling the use of the `child process exec` function until a patch is available. Restrict access to user input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** kill-process-by-name versions all **Description** The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given. This is due to the use of the child process exec function without input sanitization in the index.js file. **Recommendations** For all versions, consider disabling the use of the child process exec function in the index.js file until a patch is available. Restrict access to the index.js file to minimize the risk of exploitation. Avoid using unsanitized user input in the affected function to prevent arbitrary command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ps-kill versions all **Description** The issue affects the ps-kill package, where an attacker can execute arbitrary commands if attacker-controlled user input is given to the `kill` function. This is due to the use of the `child process` `exec` function without input sanitization in the `index.js` file. A proof of concept (PoC) demonstrates this vulnerability by using the `kill` function with a malicious input, such as `$(touch success)`, which can lead to arbitrary command execution. **Recommendations** As a temporary workaround, consider disabling the `kill` function until a patch is available. Restrict access to the `index.js` file to minimize the risk of exploitation. Avoid using the `child process` `exec` function with unsanitized user input in the `kill` function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.