Description

im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.

Remediation

References

https://github.com/Turistforeningen/node-im-resize/commit/de624dacf6a50e39fe3472af1414d44937ce1f03

https://snyk.io/vuln/SNYK-JS-IMRESIZE-544183

Related Vulnerabilities

CVE-2022-35961 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable

CVE-2022-21830 Vulnerability in npm package @rocket.chat/livechat

CVE-2022-23618 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2023-34454 Vulnerability in maven package org.xerial.snappy:snappy-java

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-util

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit