command injection vulnerability
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.26.2
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to is.services()
, is.inetChecksite()
, si.inetLatency()
, si.networkStats()
, is.services()
and si.processLoad()
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
systeminformation | lt | 4.26.2 |
github.com/advisories/GHSA-fj59-f6c3-3vw4
github.com/sebhildebrandt/systeminformation
github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607
github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4
nvd.nist.gov/vuln/detail/CVE-2020-26300
www.npmjs.com/package/systeminformation