CVE-2019-17625: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 24, 2022 (updated July 18, 2023)

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.

References

github.com/Ekultek/CVE-2019-17625/
github.com/advisories/GHSA-2gc6-2h2g-ph48
nvd.nist.gov/vuln/detail/CVE-2019-17625
web.archive.org/web/20211209122051/https://github.com/ramboxapp/community-edition/issues/2418

Code Behaviors & Features

Detect and mitigate CVE-2019-17625 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →