CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2020-26245

HIGH
8.1
CVSS Severity Score
EPSS Score0.1250%
EPSS Percentile29.53th
Published2020年11月27日
Last Modified2024年11月21日

Vulnerability Description

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Affected Platforms (CPE)

📦
Systeminformation

Systeminformation

< 4.30.5

References & Advisories

🔗 https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
🔗 https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg
🔗 https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
🔗 https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg

相關漏洞威脅

CVE-2021-213888.9

systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been disc...

CVE-2020-77528.8

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can conca...

CVE-2020-77787.3

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, wh...

CVE-2021-213157.1

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve...