CVE-2020-26300

CWE-77 — Command Injection CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

1.1%

top 21.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sebhildebrandt Systeminformation Systeminformation Systeminformation

Timeline

PublishedSep 9

Description

systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 1.4 | Impact: 4.0

Affected Packages3 packages

▶npmsysteminformation< 4.26.2

▶CVEListV5sebhildebrandt/systeminformation< 4.26.2

▶NVDsysteminformation/systeminformation< 4.26.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Command injection in systeminformation↗2021-09-09

▶

GHSA

Command Injection in systeminformation↗2020-10-27

▶

OSV

Command Injection in systeminformation↗2020-10-27

▶