CVE-2021-23412

HIGH

gitlogplus - OS Command Injection via Unsanitized Options Attributes

Title source: llm
STIX 2.1

Description

All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-GITLOGPLUS-1315832
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/808942
Product x_refsource_misc
https://www.npmjs.com/package/gitlogplus

Scores

CVSS v3 8.1
EPSS 0.0403
EPSS Percentile 89.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (6)
gitlogplus_project/gitlogplus 3.1.3
gitlogplus_project/gitlogplus 3.1.4
gitlogplus_project/gitlogplus 3.1.5
gitlogplus_project/gitlogplus 3.1.6
gitlogplus_project/gitlogplus 3.1.7
npm/gitlogplus 0npm
Published Jul 23, 2021
Tracked Since Feb 18, 2026