Description

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

Remediation

References

https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js

https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61

https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909

Related Vulnerabilities

CVE-2023-36665 Vulnerability in maven package org.webjars.npm:github-com-protobufjs-protobuf-js

CVE-2018-3712 Vulnerability in npm package serve

CVE-2022-43413 Vulnerability in maven package org.jenkins-ci.plugins:job-import-plugin

CVE-2022-36007 Vulnerability in maven package com.github.jlangch:venice

CVE-2022-27820 Vulnerability in maven package org.zaproxy:zap

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch