Description
OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.68 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.
Release notes for versions 3.3.62 and 3.3.69 both link to patches for this particular issue. The JPCERT/CC advisory lists versions 3.3.
Recommendation
Update the nadesiko3 package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.3.68
- Patched version(s): 3.3.69
References
Related Issues
- nadesiko3 vulnerable to OS Command Injection - CVE-2022-42496
- Bootstrap Cross-site Scripting vulnerability - CVE-2016-10735
- protobufjs Prototype Pollution vulnerability - CVE-2023-36665
- chromedriver Command Injection vulnerability - CVE-2023-26156
- Tags:
- npm
- nadesiko3
Anything's wrong? Let us know Last updated on January 31, 2023