Description

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

Remediation

References

https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js

https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61

https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909

Related Vulnerabilities

CVE-2020-14967 Vulnerability in maven package org.webjars.npm:jsrsasign

CVE-2019-10744 Vulnerability in maven package org.webjars.bower:lodash

CVE-2018-3730 Vulnerability in npm package mcstatic

CVE-2023-49210 Vulnerability in npm package openssl

CVE-2020-8137 Vulnerability in npm package uppy

Severity

Critical

Classification

CWE-78

Tags

Exploit Third Party Advisory Patch