Description
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Remediation
References
https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122
Related Vulnerabilities
CVE-2023-46589 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2022-33987 Vulnerability in maven package org.webjars.npm:got
CVE-2018-16486 Vulnerability in npm package defaults-deep
CVE-2022-21192 Vulnerability in npm package serve-lite
CVE-2017-16116 Vulnerability in maven package org.webjars.npm:string