[xopen] xopen is vulnerable to OS Command Injection in Exported Function xopen(filepath)

A command injection vulnerability affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath).

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-28447
• https://security.snyk.io/vuln/SNYK-JS-XOPEN-1050981
• https://github.com/andrewimm/xopen/blob/master/index.js
• https://github.com/advisories/GHSA-74wf-cwjg-9cf2