Miggo Logo

CVE-2020-7615: OS Command Injection in fsa

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.64023%
Published
12/9/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fsanpm<= 0.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability report explicitly identifies execGitCommand() in lib/rep.js#63 as the vulnerable function. Analysis of the source code shows it passes user-controlled input directly to exec() without sanitization. The function constructs a git command string using untrusted input, enabling attackers to inject arbitrary commands via shell operators (e.g., ';', '&&', '|'). This matches the CWE-78 OS Command Injection pattern where user input flows unsafely into system commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*s* t*rou** *.*.* is vuln*r**l* to *omm*n* Inj**tion. T** *irst *r*um*nt o* '*x***it*omm*n*()', lo**t** wit*in 'li*/r*p.js#**' **n ** *ontroll** *y us*rs wit*out *ny s*nitiz*tion to inj**t *r*itr*ry *omm*n*s.

Reasoning

T** vuln*r**ility r*port *xpli*itly i**nti*i*s `*x***it*omm*n*()` in `li*/r*p.js#**` *s t** vuln*r**l* *un*tion. *n*lysis o* t** sour** *o** s*ows it p*ss*s us*r-*ontroll** input *ir**tly to `*x**()` wit*out s*nitiz*tion. T** *un*tion *onstru*ts * *i