CVE-2020-7602: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2020-7602 affects the node-prompt-here package, which is designed to open a console window at a given absolute directory. The vulnerability was discovered and disclosed on March 13, 2020. This security flaw allows for command injection attacks, potentially enabling attackers to execute arbitrary commands (Snyk).

The vulnerability exists in the runCommand() function called by getDevices() in the linux/manager.js file. The issue stems from insufficient sanitization of the process.env.NM_CLI parameter, which is directly used to construct arguments for the execSync() function. This allows user-controlled input to be executed without proper validation (Snyk). The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (medium) by Snyk and 9.8 (critical) by NVD, indicating significant severity.

If successfully exploited, this vulnerability can lead to command injection attacks, potentially resulting in total loss of confidentiality of the affected system. An attacker could execute arbitrary commands with the privileges of the application running the vulnerable package (Snyk).

There is currently no fixed version available for the node-prompt-here package. Users are advised to consider using alternative packages or implementing additional input validation controls (Snyk).