PT-2020-9139 · Unknown · Im-Metadata

Published

2020-02-04

Updated

2021-04-13

CVE-2019-10788

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions im-metadata versions 3.0.1 and earlier

Description The issue allows remote attackers to execute arbitrary commands via the exec argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the exec function.

Recommendations For im-metadata versions 3.0.1 and earlier, consider disabling the exec function until a patch is available to prevent arbitrary command execution. Restrict access to metadata options to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-10788

GHSA-QFXV-QQVG-24PG

SNYK-JS-IMMETADATA-544184

Affected Products

Im-Metadata

PT-2020-9139 · Unknown · Im-Metadata

CVE-2019-10788

Weakness Enumeration

Related Identifiers

Affected Products

References · 6