Description
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.
Remediation
References
https://nodesecurity.io/advisories/143
Related Vulnerabilities
CVE-2018-20433 Vulnerability in maven package c3p0:c3p0
CVE-2014-6071 Vulnerability in npm package jquery
CVE-2022-41376 Vulnerability in npm package metro4
CVE-2019-17359 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on
CVE-2020-1697 Vulnerability in maven package org.keycloak:keycloak-server-spi-private