CVE-2020-7633: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2020-7633) affects apiconnect-cli-plugins through version 6.0.1. This command injection vulnerability was discovered and disclosed on April 6, 2020. The package, which is a Plugin for IBM API Connect Developer Toolkit, allows execution of arbitrary commands via the pluginUri argument (NVD, CISA).

The vulnerability exists because the pluginUri argument can be controlled by users without any sanitization in the installPlugin function located in lib/plugin-loader.js line 181. The CVSS base score for this vulnerability is 7.5, indicating a medium to high severity level. The vulnerability allows attackers to execute arbitrary system commands through the pluginUri parameter (Snyk).

A successful exploitation of this vulnerability could result in total loss of confidentiality, with potential access to restricted information. While the attacker can modify data, they have limited control over the consequences of such modifications. The vulnerability primarily affects the system's integrity and confidentiality, with no direct impact on availability (Snyk).

As of the available information, there is no fixed version available for apiconnect-cli-plugins. Users should consider implementing additional security controls or exploring alternative solutions (Snyk).