A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA

Severity:: High

Description

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.1.13

References

GHSA-r87q-fq37-pvr6
youtu.be
CVE-2023-33831
CWE-77
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

JSONPath Plus Remote Code Execution (RCE) Vulnerability - CVE-2024-21534
systeminformation SSID Command Injection Vulnerability - CVE-2023-42810
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
FUXA SQL Injection vulnerability (GHSA-p46g-8c3q-89p2) - CVE-2023-31719

Tags:: npm; @frangoteam/fuxa

Anything's wrong? Let us know Last updated on November 11, 2023