The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| libvcs(PyPI) | 0 | 0.11.1 | N/A |
| vcspull(PyPI) | 0 | 1.11.1 | N/A |
CVSS Metrics
