GMS-2020-234: Local File Inclusion in domokeeper

September 3, 2020

All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-cr67-78jr-j94p
www.npmjs.com/advisories/1075

Detect and mitigate GMS-2020-234 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →