I would like to report command injection in pdf-image
It allows executing commands on the server
module name: pdf-imageversion:1.0.5npm page: https://www.npmjs.com/package/pdf-image
> Provides an interface to convert PDF’s pages to png files in Node.js by using ImageMagick.
[2013] downloads in the last week
> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.
> The constructGetInfoCommand would be initializing the command that is to the passed to ‘exec’ of getInfo(). The user input is not getting validated in #L26 of constructGetInfoCommand and it leads to command injection in #L43.
https://github.com/mooz/node-pdf-image/blob/master/index.js#L26
https://github.com/mooz/node-pdf-image/blob/master/index.js#L43## Patch
> State all technical information about the stack where the vulnerability was found
An attacker could execute arbitrary shell commands