CyberSec.Space Logo
Back to CVE Browser

CVE-2020-26245

HIGH
8.1
CVSS Severity Score
EPSS Score0.1250%
EPSS Percentile29.53th
PublishedNov 27, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Affected Platforms (CPE)

πŸ“¦
Systeminformation

Systeminformation

< 4.30.5

References & Advisories

πŸ”— https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
πŸ”— https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg
πŸ”— https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
πŸ”— https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg

Related Vulnerabilities

CVE-2021-213888.9

systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been disc...

CVE-2020-77528.8

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can conca...

CVE-2020-77787.3

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, wh...

CVE-2021-213157.1

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve...