Description

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909

https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js

https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61

Related Vulnerabilities

CVE-2017-16123 Vulnerability in npm package welcomyzt

CVE-2021-39148 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2024-36401 Vulnerability in maven package org.geoserver:gs-wms

CVE-2022-25167 Vulnerability in maven package org.apache.flume:flume-parent

CVE-2021-39132 Vulnerability in maven package org.rundeck:rundeck-core

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Patch Third Party Advisory