CVE-2020-28429

Name of the Vulnerable Software and Affected Versions: geojson2kml versions prior to 0.1.1

Description: The issue is related to Command Injection via the index.js file in the geojson2kml package. An example of exploitation is provided using the require function to execute a command, specifically var a = require("geojson2kml"); a("./", "& touch JHU", function(){}). This demonstrates how an attacker could potentially inject malicious commands.

Recommendations: For versions prior to 0.1.1, consider disabling the vulnerable functionality in the index.js file as a temporary workaround until a patch is available. Restrict access to the require function with the geojson2kml package to minimize the risk of exploitation. Avoid using the a function with untrusted input in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.