You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 11, 2023. It is now read-only.
Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. The spawn function receives the _executableShell variable, which is the /bin/sh command. This could result in any command, even if the function is written correctly, leading to RCE.
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Vulnerability Description
Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a
commandthat will be executed without any checks. Thespawnfunction receives the_executableShellvariable, which is the/bin/shcommand. This could result in any command, even if the function is written correctly, leading toRCE.The issue arises here:
https://github.com/mattijs/node-rsync/blob/master/rsync.js#L506
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/