CVE-2019-10788
OS Command Injection in im-metadata
9.8
CRITICAL
CVSS 3.1
EPSS 1.8%
Description
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
How to fix CVE-2019-10788
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- npm/im-metadata—no fix listed
Is CVE-2019-10788 being exploited?
Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 3.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |