Description
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
Remediation
References
https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184
Related Vulnerabilities
CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2017-7662 Vulnerability in maven package org.apache.cxf.fediz:fediz-cxf
CVE-2022-36100 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui
CVE-2023-0815 Vulnerability in maven package org.opennms:opennms
CVE-2023-32314 Vulnerability in maven package org.webjars.npm:vm2