MEDIUM 5.9

GHSA-fj59-f6c3-3vw4

Command Injection in systeminformation

Details

### Impact command injection vulnerability

### Patches Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.26.2

### Workarounds If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to `is.services()`, `is.inetChecksite()`, `si.inetLatency()`, `si.networkStats()`, `is.services()` and `si.processLoad()`

### References _Are there any links users can visit to find out more?_

### For more information If you have any questions or comments about this advisory: * Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / systeminformation

Introduced in: 0 Fixed in: 4.26.2

Fix npm install systeminformation@4.26.2

References

https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2020-26300 [ADVISORY]
https://github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607 [WEB]
https://github.com/advisories/GHSA-fj59-f6c3-3vw4 [ADVISORY]
https://github.com/sebhildebrandt/systeminformation [PACKAGE]
https://www.npmjs.com/package/systeminformation [WEB]