Command Injection Vulnerability in Pdf-image by Roest01
CVE-2018-3757

9.8CRITICAL

Key Information:

Vendor: PDF-image Project
Status: PDF-image
Vendor: CVE Published:; 1 June 2018

🔔 Create PDF-image Project Vulnerability Alert

What is CVE-2018-3757?

The pdf-image software, specifically version 2.0.0, contains a command injection vulnerability due to improper handling of user-supplied string parameters. This lack of adequate escaping can allow an attacker to execute arbitrary commands on the server or client's environment by injecting malicious input, posing significant security risks. Developers using this software should ensure appropriate input validation and update to newer versions where this vulnerability is addressed.

References

https://hackerone.com/reports/340208

x_refsource_MISC

https://github.com/roest01/node-pdf-image/commit/54679496...

x_refsource_CONFIRM

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2018
Vulnerability Reserved
Dec 28, 2017