npm/@frangoteam/fuxa/CVE-2023-33831.yml

---
identifier: "CVE-2023-33831"
identifiers:
- "GHSA-r87q-fq37-pvr6"
- "CVE-2023-33831"
package_slug: "npm/@frangoteam/fuxa"
title: "Improper Neutralization of Special Elements used in a Command ('Command Injection')"
description: "A remote command execution (RCE) vulnerability in the /api/runscript
  endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted
  POST request."
date: "2023-09-19"
pubdate: "2023-09-18"
affected_range: "<=1.1.13"
fixed_versions: []
affected_versions: "All versions up to 1.1.13"
not_impacted: ""
solution: "Unfortunately, there is no solution available yet."
urls:
- "https://nvd.nist.gov/vuln/detail/CVE-2023-33831"
- "https://github.com/rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831"
- "https://github.com/advisories/GHSA-r87q-fq37-pvr6"
cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
uuid: "a788652d-eb36-48ce-9c0f-d43e937a70b0"
cwe_ids:
- "CWE-1035"
- "CWE-77"
- "CWE-78"
- "CWE-937"