systeminformation is vulnerable to OS command injection. An attacker is able to inject and execute arbitrary OS commands via service parameters that are passed to si.inetLatency()
, si.inetChecksite()
, si.services()
, si.processLoad()
etc.
CPE | Name | Operator | Version |
---|---|---|---|
systeminformation | le | 5.3.0 |
github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E
security.netapp.com/advisory/ntap-20210312-0007/
www.npmjs.com/advisories/1626
www.npmjs.com/package/systeminformation