{
  "schema_version": "1.4.0",
  "id": "GHSA-pm52-wwrw-c282",
  "modified": "2021-08-16T14:32:10Z",
  "published": "2019-06-13T18:59:06Z",
  "aliases": [],
  "summary": "Command Injection in wiki-plugin-datalog",
  "details": "Versions of `wiki-plugin-datalog` prior to 0.1.6 are vulnerable to Command Injection. The package failed to sanitize URLs on the curl endpoint, allowing attackers to inject commands and possibly achieving Remote Code Execution on the system.\n\n\n## Recommendation\n\nUpgrade to version 0.1.6 or later.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "wiki-plugin-datalog"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WardCunningham/wiki-plugin-datalog/commit/020aa6201319e5b76301a61b65268c94dc242fa7"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-WIKIPLUGINDATALOG-449540"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/926"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-13T18:50:56Z",
    "nvd_published_at": null
  }
}