CVE-2020-26245

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
Configurations

Configuration 1 (hide)

cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 05:19

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 8.1
References () https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016 - Patch, Third Party Advisory () https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016 - Patch, Third Party Advisory
References () https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg - Third Party Advisory () https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg - Third Party Advisory

Information

Published : 2020-11-27 20:15

Updated : 2024-11-21 05:19


NVD link : CVE-2020-26245

Mitre link : CVE-2020-26245

CVE.ORG link : CVE-2020-26245


JSON object : View

Products Affected

systeminformation

  • systeminformation
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-471

Modification of Assumed-Immutable Data (MAID)