Description
All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.
Remediation
References
https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L115
https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js%23L64
https://security.snyk.io/vuln/SNYK-JS-SKETCHSVG-3167969
Related Vulnerabilities
CVE-2021-28860 Vulnerability in npm package mixme
CVE-2023-36472 Vulnerability in npm package @strapi/plugin-content-manager
CVE-2022-3971 Vulnerability in npm package matrix-appservice-irc
CVE-2021-33611 Vulnerability in maven package org.webjars.bowergithub.vaadin:vaadin-menu-bar
CVE-2022-36900 Vulnerability in maven package com.compuware.jenkins:compuware-zadviser-api