CVE-2018-3746
published 2018-06-01CVE-2018-3746: The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.93%
91.0th percentile
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerone | pdfinfojs | — | — |
| pdfinfojs_project | pdfinfojs | <= 0.3.6 | — |
| pdfinfojs_project | pdfinfojs | >= 0 < 0.4.1 | 0.4.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command Injection in standard-version
osv·2020-07-13·CVSS 9.8
[CRITICAL] Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
GHSA
Command Injection in standard-version
ghsa·2020-07-13·CVSS 9.8
[CRITICAL] CWE-77 Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
GHSA
Command Injection in pdfinfojs
ghsa·2018-06-07
CVE-2018-3746 [CRITICAL] CWE-77 Command Injection in pdfinfojs
Command Injection in pdfinfojs
Versions of `pdfinfojs` before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the `pdfinfojs` constructor.
## Recommendation
Update to version 0.4.1 or later.
OSV
Command Injection in pdfinfojs
osv·2018-06-07
CVE-2018-3746 [CRITICAL] Command Injection in pdfinfojs
Command Injection in pdfinfojs
Versions of `pdfinfojs` before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the `pdfinfojs` constructor.
## Recommendation
Update to version 0.4.1 or later.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-06-01
Published