CVE-2020-28447: Improper Neutralization of Special Elements used in a Command ('Command Injection')

July 26, 2022 (updated August 6, 2022)

This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)

References

github.com/advisories/GHSA-74wf-cwjg-9cf2
github.com/andrewimm/xopen/blob/master/index.js
nvd.nist.gov/vuln/detail/CVE-2020-28447
security.snyk.io/vuln/SNYK-JS-XOPEN-1050981

Code Behaviors & Features

Detect and mitigate CVE-2020-28447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →