CVE-2020-26245

CWE-78 — OS Command Injection CWE-4714 documents4 sources

Severity

9.8CRITICAL

EPSS

1.1%

top 21.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sebhildebrandt Systeminformation Systeminformation Systeminformation

Timeline

PublishedNov 27

Description

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:LExploitability: 2.2 | Impact: 5.3

Affected Packages3 packages

▶npmsysteminformation< 4.30.5

▶CVEListV5sebhildebrandt/systeminformation< 4.30.5

▶NVDsysteminformation/systeminformation< 4.30.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Prototype Pollution in systeminformation↗2020-11-27

▶

CVEList

Prototype Pollution leading to Command Injection in systeminformation↗2020-11-27

▶

OSV

Prototype Pollution in systeminformation↗2020-11-27

▶