Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2013-7378

CVE-2013-7378:
Potential Command Injection in hubot-scripts

9.8

CVSS Score

Basic Information

CVE ID
CVE-2013-7378
GHSA ID
GHSA-hwch-749c-rv63
EPSS Score
-
CWE
CWE-74
Published
8/31/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
hubot-scriptsnpm<= 2.4.32.4.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using child_process.exec() with unescaped user input to build a mail command string. The commit feee5ab shows the fix: replacing exec() with execFile() and argument arrays. The original exec() call in sendEmail combined user inputs into a shell command without proper sanitization, making it vulnerable to injection. CWE-74 (Injection) and the patch methodology confirm this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* *u*ot-s*ripts *r* vuln*r**l* to * *omm*n* inj**tion vuln*r**lity in t** `*u*ot-s*ripts/p**k***/sr*/s*ripts/*m*il.*o****` mo*ul*. ### Miti**tin* ***tors T** *m*il s*ript is not *n**l** *y ****ult, it **s to ** m*nu*lly

Reasoning

T** vuln*r**ility st*ms *rom usin* **il*_pro**ss.*x**() wit* un*s**p** us*r input to *uil* * m*il *omm*n* strin*. T** *ommit ******* s*ows t** *ix: r*pl**in* *x**() wit* *x***il*() *n* *r*um*nt *rr*ys. T** ori*in*l *x**() **ll in s*n**m*il *om*in** u