Description
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
Remediation
References
https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184
Related Vulnerabilities
CVE-2021-23369 Vulnerability in npm package handlebars
CVE-2017-4947 Vulnerability in maven package com.vmware.xenon:xenon-common
CVE-2020-11002 Vulnerability in maven package io.dropwizard:dropwizard-validation
CVE-2022-36886 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job