Lucene search

GitHub_MCVELIST:CVE-2020-26300

HistorySep 09, 2021 - 1:10 a.m.

CVE-2020-26300 Command injection in systeminformation

2021-09-0901:10:11

CWE-77

GitHub_M

www.cve.org

5.9 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

9.8 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.3%

JSON

systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.

CNA Affected

[
  {
    "product": "systeminformation",
    "vendor": "sebhildebrandt",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.26.2"
      }
    ]
  }
]

References

github.com/advisories/GHSA-fj59-f6c3-3vw4

github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607

github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4

www.npmjs.com/package/systeminformation

5.9 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

9.8 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.3%

JSON

Related for CVELIST:CVE-2020-26300