CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26245 – Prototype Pollution leading to Command Injection in systeminformation
https://notcve.org/view.php?id=CVE-2020-26245
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite(). npm package systeminformation anterior a versión 4.30.5, es vulnerable a una Contaminación de Prototipos conllevando a una Inyección de Comandos. El problema se solucionó con una reescritura de saneamiento de shell para evitar problemas de contaminación del prototipo. • https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016 https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-471: Modification of Assumed-Immutable Data (MAID) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7778 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-7778
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. Esto afecta al paquete systeminformation versiones anteriores a 4.30.2. El atacante puede sobrescribir las propiedades y funciones de un objeto, lo que puede conllevar a ejecutar comandos del Sistema Operativo • https://gist.github.com/EffectRenan/b434438938eed0b21b376cedf5c81e80 https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js https://github.com/sebhildebrandt/systeminformation/commit/11103a447ab9550c25f1fbec7e6d903720b3fea8%23diff-970ae648187190f86bafc8f193b7538200eba164fad0674428b6487582c089cc https://github.com/sebhildebrandt/systeminformation/commit/73dce8d717ca9c3b7b0d0688254b8213b957f0fa%23diff-970ae648187190f86bafc8f193b7538200eba164fad0674428b6487582c089cc https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1043753 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 3CVE-2020-7752 – Command Injection
https://notcve.org/view.php?id=CVE-2020-7752
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. Esto afecta al paquete systeminformation versiones anteriores a 4.27.11. Este paquete es vulnerable a una Inyección de Comandos. • https://github.com/ossf-cve-benchmark/CVE-2020-7752 https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61 https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •