Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The package cookiecutter before 2.1.1 is vulnerable to Command Injection via 'hg' argument injection. When calling the "cookiecutter" function from Python code with the checkout parameter, it is passed to the 'hg' checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.