launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the launch-editor version 2.9.0, corresponding to vite version 5.4.9.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539 | * |
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.