-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential for Arbitrary Command Injection #29
Comments
Hi @jaredestroud ! This is certainly true. However, we never expected that these API would ever directly consume public, unfiltered input. As such, It shouldn't really be the responsibility of
We should therefore remain un-opinionated with regard to how the API is used. Thank you for bringing this up. At the very least, I could add a note in the README to underline this behaviour for those who may not be aware. |
the functions below in virtualbox.js, could allow for a user to inject additional commands with the cmd variable (ex: "; pwd") resulting in remote command execution assuming this was public facing.
The text was updated successfully, but these errors were encountered: