CWE-78

MultiTech Conduit MTCDT-LVW2-24XX 1.4.17-ocea-13592 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Debug Options page and entering shell metacharacters in the interface JSON field of the ping function.

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the “gcov-args” argument.

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the “exec” function located in “src/command.js” via the provided options.

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The “runCommand()” is called by “getDevices()” function in file “linux/manager.js”, which is required by the “index. process.env.NM_CLI” in the file “linux/manager.js”. This function is used to construct the argument of function “execSync()”, which can be controlled by users without any sanitization.

closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument “options” of the exports function in “index.js” can be controlled by users without any sanitization.