CVE-2020-15362: 
JavaScript vulnerability analysis and mitigation

wifiscanner.js in thingsSDK WiFi Scanner 1.0.1 contains a code injection vulnerability (CVE-2020-15362) that allows attackers to execute arbitrary code. The vulnerability exists because the module can be used with options to overwrite the default executable/binary path and its arguments without proper input sanitization (GitHub Issue).

The vulnerability exists in the wifiscanner.js file where the command property concatenates binaryPath and args options without any sanitization before passing to childProcess.exec(). The CVSS v3.1 base score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the affected system. This could lead to complete system compromise, including the ability to read, modify, or delete data, create new accounts, and execute malicious programs (GitHub Issue).

Users must ensure appropriate sanitization of user inputs before passing them to the module. At minimum, any user input that could affect the binaryPath or args options should be properly validated and sanitized. Additionally, users should consider implementing input validation at the application level to restrict the allowed values for these parameters (GitHub Issue).