Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix command injection vulnerability #23

Merged
merged 1 commit into from
Oct 28, 2023
Merged

Fix command injection vulnerability #23

merged 1 commit into from
Oct 28, 2023
+2 −1

Conversation

asciimoth
Copy link
Contributor

Fix passing of unescaped text to the arguments of notification command in dcnnt/plugins/notifications.py

This is a high-risk vulnerability that can lead to RCE and allow arbitrary code execution on the server while the notification showing.

All text received over the network MUST be escaped before being transmitted to the database or to the shell command arguments.

(Old PR was closed due to accidental deletion of the repository)

@asciimoth
Fix command ijection vulnerability
b4021d7 
Fix passing of unescaped text to the arguments of notification command
in dcnnt/plugins/notifications.py

This is a high-risk vulnerability that can lead to RCE and allow arbitrary code
execution on the server while the notification showing.

All text received over the network MUST be escaped before being transmitted to
the database or to the shell command arguments.
@cyanomiko cyanomiko merged commit 4c64bbc into cyanomiko:master Oct 28, 2023
@cyanomiko
Copy link
Owner

Merged. Thanks for important fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asciimoth @cyanomiko