Description
OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.68 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.
Release notes for versions 3.3.62 and 3.3.69 both link to patches for this particular issue. The JPCERT/CC advisory lists versions 3.3.
Recommendation
Update the nadesiko3 package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.3.68
- Patched version(s): 3.3.69
References
Related Issues
- nadesiko3 vulnerable to OS Command Injection - CVE-2022-42496
- create-choo-app3 is vulnerable to Command Injection via the devInstall function - CVE-2022-25855
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- Command Injection Vulnerability in systeminformation (GHSA-m57p-p67h-mq74) - CVE-2020-26274
- Tags:
- npm
- nadesiko3
Anything's wrong? Let us know Last updated on January 31, 2023