Description
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
Remediation
References
https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184
Related Vulnerabilities
CVE-2022-36911 Vulnerability in maven package org.jenkins-ci.plugins:openstack-heat
CVE-2021-3803 Vulnerability in npm package nth-check
CVE-2023-45648 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2021-25122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core