YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

在命令中使用的特殊元素转义处理不恰当(命令注入)

Bluegrams YoutubeDLSharp 安全漏洞

Bluegrams YoutubeDLSharp是Bluegrams公司的一个youtube-dl和yt-dlp的简单.NET包装库。 Bluegrams YoutubeDLSharp 1.0.0-beta4版本至1.1.2之前版本存在安全漏洞，该漏洞源于参数转换不安全，可能导致命令注入。

N/A

N/A