CVE-2019-10788 – im-metadata

Package

Manager: npm
Name: im-metadata
Vulnerable Version: >=0 <=3.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01843 pctl0.82267

Details

OS Command Injection in im-metadata im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.

Metadata

Created: 2021-04-13T15:17:36Z
Modified: 2021-03-29T22:57:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-qfxv-qqvg-24pg/GHSA-qfxv-qqvg-24pg.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-qfxv-qqvg-24pg
Finding: F404
Auto approve: 1