CWE-78

pulverizr through 0.7.0 allows execution of arbitrary commands. Within “lib/job.js”, the variable “filename” can be controlled by the attacker. This function uses the variable “filename” to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of ‘gulp-tape’ options.

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within ‘index.js’ of the package, the function ‘exec(serviceName, cmd, fnStdout, fnStderr, fnExit)’ uses the variable ‘serviceName’ which can be controlled by users without any sanitization.

gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument ‘options’ of the exports function in ‘index.js’ can be controlled by users without any sanitization.

clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue.

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the ‘exec’ function directly.