CVE-2020-5282
HIGHnick_chan_bot < 1.0.0-beta - OS Command Injection via npm Command
Title source: llmDescription
In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3
Patch, Third Party Advisory x_refsource_misc
https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba
Scores
CVSS v3
7.2
EPSS
0.0114
EPSS Percentile
62.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-78
Status
published
Products (1)
nick_chan_bot_project/nick_chan_bot
1.0.0 beta_pre_11 (4 CPE variants)
Published
Mar 25, 2020
Tracked Since
Feb 18, 2026