Description
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Remediation
References
https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122
Related Vulnerabilities
CVE-2020-7781 Vulnerability in npm package connection-tester
CVE-2020-35476 Vulnerability in maven package net.opentsdb:opentsdb
CVE-2019-19466 Vulnerability in npm package sceditor
CVE-2022-25350 Vulnerability in npm package puppet-facter
CVE-2020-36049 Vulnerability in npm package socket.io-parser