CWE-78

im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the “exec” argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the “exec” function.

All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization.

promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.

rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization.

compile-sass prior to 1.0.5 allows execution of arbritary commands. The function “setupCleanupOnExit(cssPath)” within “dist/index.js” is executed as part of the “rm” command without any sanitization.

enpeem through 2.2.0 allows execution of arbitrary commands. The “options.dir” argument is provided to the “exec” function without any sanitization.