Insufficient escaping of line feeds for CMD in shescape

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

输出中的特殊元素转义处理不恰当(注入)

shescape 注入漏洞

shescape是开源的一个用于JavaScript的简单外壳转义程序包。使用它可以将用户控制的输入转义给shell命令，以防止shell注入。 Shescape 1.5.8之前版本存在注入漏洞，攻击者利用该漏洞可以通过在有效负载中包含换行符来省略输入后的所有参数。

N/A

N/A