CVE-2020-7789
OS Command Injection in node-notifier
5.6
MEDIUM
CVSS 3.1
EPSS 0.21%
Description
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
How to fix CVE-2020-7789
To remediate CVE-2020-7789, upgrade the affected package to a fixed version below.
- npm/node-notifier—upgrade to 8.0.1 or later
Is CVE-2020-7789 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 8.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |