Vulnerability Information: - Name: Arbitrary Command Injection - Affected Package: portprocesses - Affected Versions: <1.0.5 - Introduction Date: 23 Feb 2021 - CVE: CVE-2021-23348 - CWE: CWE-77 - Fix: Upgrade portprocesses to version 1.0.5 or higher - Description: Affected versions of this package are vulnerable to Arbitrary Command Injection due to the use of the child_process exec function without input sanitization in the killProcess function Severity: - CVSS Assessment: 6.3 (MEDIUM) by Snyk's Security Team - CVSS Base Scores: - Snky: 6.3 MEDIUM - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: Low - NVD: 8.8 HIGH Threat Intelligence: - Exploit Maturity: Proof of Concept - EPSS: 1.08% (78th percentile) References: - GitHub Commit - Vulnerable Code Resources: - Snyk ID: Snyk-JS-PORTPROCESSES-1078536 - Published: 31 Mar 2021 - Disclosed: 23 Feb 2021 - Credit: OmniTaint - Snyk Learn: Learn about Arbitrary Command Injection vulnerabilities in an interactivelesson