CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 1CVE-2023-40185 – Shescape on Windows escaping may be bypassed in threaded context
https://notcve.org/view.php?id=CVE-2023-40185
23 Aug 2023 — shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4. • https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35931 – Shescape potential environment variable exposure on Windows with CMD
https://notcve.org/view.php?id=CVE-2023-35931
23 Jun 2023 — Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1. • https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-31179 – Insufficient escaping of line feeds for CMD in shescape
https://notcve.org/view.php?id=CVE-2022-31179
01 Aug 2022 — Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. • https://github.com/ericcornelissen/shescape/pull/332 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-21384 – Null characters not escaped in shescape
https://notcve.org/view.php?id=CVE-2021-21384
18 Mar 2021 — shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required. shescape es un paquete de escape de shell simple para JavaScript. • https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •