In SPX-GC 1.3.0v and below versions, user-controlled input was passed in the exec function of the child_process module without any sanitization, leading to unauthenticated blind remote code execution.
In /routes/routes-api.js, user input received from file param and passed into exec function of child_process leads to unauthenticated blind RCE
Blind Remote Code Execution (RCE) in web applications occurs when an attacker can execute arbitrary code on a server without immediate feedback or direct knowledge of the results. This vulnerability often arises from improper user input handling and can be exploited through mechanisms like command execution. References:
- OWASP Foundation's OWASP Cheat Sheet Series: Command Injection
- CWE-94: Improper Control of Generation of Code ('Code Injection')
SPX-GC <= 1.3.0v
Fixed in 31c96893a193428a3a11499ed0e165125f9bbe23 commit, The changes were added to the master branch, so the new build and installation from that branch are not vulnerable. The fix has not yet been published as a release on GitHub.
CVE-2024-44623
Blind Remote Code Execution
Usage of user input at require('child_process').exec('open "' + folder + '"'); function in the routes/routes-api.js file
Shell commands can be executed by an unauthenticated user in the instances where the vulnerable SPX-GC tool is running.
Vulnerable Code: routes/routes-api.js#L37-L39
Fix Commit: 31c96893a193428a3a11499ed0e165125f9bbe23