Miggo Logo

CVE-2021-34083: Command injection in google-it

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.67928%
Published
6/3/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
google-itnpm<= 1.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability exists in both source and transpiled versions of openInBrowser, which directly interpolates user-controlled URLs into a system command via exec(). The functions lack any input validation or escaping mechanisms (like using execFile with arguments array), making them susceptible to OS command injection when processing malicious search result links. This matches the CWE-78 description of improper neutralization in OS commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oo*l*-it is * No**.js p**k*** w*i** *llows its us*rs to s*n* s**r** qu*ri*s to *oo*l* *n* r***iv* t** r*sults in * JSON *orm*t. W**n usin* t** 'Op*n in *rows*r' option in v*rsions up to *.*.*, *oo*l*-it will uns***ly *on**t t** r*sult's link r*tri*v

Reasoning

T** *or* vuln*r**ility *xists in *ot* sour** *n* tr*nspil** v*rsions o* `op*nIn*rows*r`, w*i** *ir**tly int*rpol*t*s us*r-*ontroll** URLs into * syst*m *omm*n* vi* `*x**()`. T** *un*tions l**k *ny input v*li**tion or *s**pin* m****nisms (lik* usin* `