GHSA-fm76-w8jw-xf8m: 
JavaScript vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in @saltcorn/plugins-loader versions <= 1.0.0-beta.13. The vulnerability occurs when creating new plugins using the git source, where an unsanitized plugin name from user input is used to build the plugin directory path for git clone operations (GitHub Advisory).

The vulnerability stems from the use of child_process.execSync API with unsanitized user input. When creating a new plugin, the req.body.name value is passed through multiple components without proper validation and ultimately used to construct the plugin directory path. This path is then used in a git clone command executed via execSync, allowing command injection through specially crafted plugin names (GitHub Advisory).

An attacker with admin privileges can execute arbitrary commands on the system by injecting malicious commands into the plugin name field when creating a new plugin with git source. This allows for remote code execution on the affected system (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-beta.14. The fix involves sanitizing the pluginDir value before passing it to execSync, or alternatively using the child_process.execFileSync API which is more secure for executing commands with arguments (GitHub Advisory, GitHub Commit).