CVE-2019-25158 — Pedroetb TTS-API OS Command Injection

描述

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability.

如何修補 CVE-2019-25158

要修補 CVE-2019-25158,請將受影響套件升級到下列已修補版本。

—升級至 2.2.0 或更新版本

CVE-2019-25158 正在被利用嗎?

低 — EPSS 為 0.7%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 2.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-25158
PATCHgithub.com/pedroetb/tts-api
WEBgithub.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434
WEBgithub.com/pedroetb/tts-api/releases/tag/v2.2.0
WEB