aliyundrive-webdav vulnerable to Command Injection

Description

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2024-03-29 18:30:42 UTC
Updated
2024-03-29 20:14:35 UTC
GitHub reviewed
2024-03-29 20:14:34 UTC
NVD published
2024-03-29

EPSS Score

Score Percentile
2.42% 84.60%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust aliyundrive-webdav <= 2.3.3
pip aliyundrive-webdav <= 2.3.3

References

cvelogic Threat Intelligence