Local File Inclusion in domokeeper
All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.