HIGH 7.3

GHSA-8j36-q8x7-pm6q

OS Command Injection in systeminformation

Details

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / systeminformation

Introduced in: 0 Fixed in: 4.30.2

Fix npm install systeminformation@4.30.2

References

https://nvd.nist.gov/vuln/detail/CVE-2020-7778 [ADVISORY]
https://github.com/sebhildebrandt/systeminformation/commit/11103a447ab9550c25f1fbec7e6d903720b3fea8%23diff-970ae648187190f86bafc8f193b7538200eba164fad0674428b6487582c089cc [WEB]
https://github.com/sebhildebrandt/systeminformation/commit/73dce8d717ca9c3b7b0d0688254b8213b957f0fa%23diff-970ae648187190f86bafc8f193b7538200eba164fad0674428b6487582c089cc [WEB]
https://gist.github.com/EffectRenan/b434438938eed0b21b376cedf5c81e80 [WEB]
https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js [WEB]
https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1043753 [WEB]