CVE-2020-26245
published 2020-11-27CVE-2020-26245: npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.93%
77.4th percentile
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sebhildebrandt | systeminformation | < 4.30.5 | 4.30.5 |
| systeminformation | systeminformation | < 4.30.5 | 4.30.5 |
| systeminformation | systeminformation | >= 0 < 4.30.5 | 4.30.5 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype Pollution in systeminformation
ghsa·2020-11-27
CVE-2020-26245 [MEDIUM] CWE-471 Prototype Pollution in systeminformation
Prototype Pollution in systeminformation
### Impact
command injection vulnerability by prototype pollution
### Patches
Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation/issues/new?template=bug_report.md)
OSV
Prototype Pollution in systeminformation
osv·2020-11-27
CVE-2020-26245 [MEDIUM] Prototype Pollution in systeminformation
Prototype Pollution in systeminformation
### Impact
command injection vulnerability by prototype pollution
### Patches
Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation/issues/new?template=bug_report.md)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjghttps://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg
2020-11-27
Published