Sharetribe · Sharetribe Go · CVE-2021-41280
**Name of the Vulnerable Software and Affected Versions**
Sharetribe Go versions prior to 10.2.1
**Description**
The issue affects Sharetribe Go, a source available marketplace software, where operating system command injection is possible on installations without a secret AWS Simple Notification Service (SNS) notification token configured via the `sns notification token` configuration parameter. This parameter is unset by default.
**Recommendations**
For versions prior to 10.2.1, upgrade to version 10.2.1 to resolve the issue.
As a temporary workaround for users who are unable to upgrade, set the `sns notification token` configuration parameter to a secret value.