Description
All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.
Remediation
References
https://security.snyk.io/vuln/SNYK-JS-SKETCHSVG-3167969
https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L64
https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L115
Related Vulnerabilities
CVE-2022-45206 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core
CVE-2019-15608 Vulnerability in maven package org.webjars.npm:yarn
CVE-2022-3224 Vulnerability in maven package org.webjars.npm:parse-url
CVE-2021-23362 Vulnerability in maven package org.webjars.npm:hosted-git-info