CVE-2018-6342
Description
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
CWE
- CWE-78 — Improper Neutralization of Special Elements used in an OS Command (CWE-78)
Affected
- Facebook / react-dev-utils — v=5.0.2 [affected]; v=5.0.0 <unspecified [affected]; v=4.2.2 [affected]; v=4.0.0 <unspecified [affected]; v=3.1.2 [affected]; v=3.0.0 <unspecified [affected]; v=2.0.2 [affected]; v=2.0.0 <unspecified [affected]; v=1.0.4 [affected]; v=1.0.0 <unspecified [affected]; v=unspecified <1.0.0 [unaffected]
CVSS
- (none)
References
- https://github.com/facebook/create-react-app/releases/tag/v1.1.5 x_refsource_MISC
- https://github.com/facebook/create-react-app/pull/4866 x_refsource_MISC
Source
cvelistV5-main/cves/2018/6xxx/CVE-2018-6342.json