Vulnerability	Vulnerable Version
M External Control of File Name or Path launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to External Control of File Name or Path in the handling of UNC paths on Windows systems. An attacker can obtain NTLMv2 password hashes by tricking a user into accessing a malicious SMB server through a specially crafted UNC path. Note: This is only exploitable if the system is running Windows, NTLM authentication is enabled, the user accesses a malicious website that interacts with a middleware using the affected package, the server with the middleware is running, and the attacker knows the URL for that server and middleware. How to fix External Control of File Name or Path? Upgrade `launch-editor` to version 2.14.1 or higher.	<2.14.1

External Control of File Name or Path

launch-editor is a launch editor from node.js

Affected versions of this package are vulnerable to External Control of File Name or Path in the handling of UNC paths on Windows systems. An attacker can obtain NTLMv2 password hashes by tricking a user into accessing a malicious SMB server through a specially crafted UNC path.

Note:

This is only exploitable if the system is running Windows, NTLM authentication is enabled, the user accesses a malicious website that interacts with a middleware using the affected package, the server with the middleware is running, and the attacker knows the URL for that server and middleware.

How to fix External Control of File Name or Path?

Upgrade launch-editor to version 2.14.1 or higher.

<2.14.1

Go back to all versions of this package