PT-2020-19720 · Mock2Easy · Mock2Easy
Published
2020-07-29
·
Updated
2021-07-21
·
CVE-2020-7697
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
mock2easy versions prior to 0.0.25
Description
The issue allows a malicious user to inject commands through the
data variable. This is possible in the affected area of the code, specifically where the require('../server/getJsonByCurl') function is called with user-controlled input from data.interfaceUrl, data.cookie, and data.interfaceType.Recommendations
For versions prior to 0.0.25, consider validating and sanitizing the
data variable to prevent command injection. As a temporary workaround, restrict access to the require('../server/getJsonByCurl') function to minimize the risk of exploitation. Ensure that all user-controlled input is properly validated to prevent malicious command injection.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mock2Easy