Description
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.
Remediation
References
https://nodesecurity.io/advisories/143
Related Vulnerabilities
CVE-2016-6794 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2021-43980 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2017-7677 Vulnerability in maven package org.apache.ranger:ranger-hive-utils
CVE-2011-3389 Vulnerability in npm package faye
CVE-2019-15482 Vulnerability in npm package selectize-plugin-a11y