Systeminformation
CVE-2020-7752
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (snyk) · only source for this CVE.
CVSS VectorVendor: snyk
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 16 npm packages depend on systeminformation (2 direct, 14 indirect)
Ecosystem-wide dependent count for version 4.27.11.
DescriptionCVE.org
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
AnalysisAI
This affects the package systeminformation before 4.27.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. Affected products include: Systeminformation. Version information: before 4.27.11..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
More in Systeminformation
View allCommand injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arb
Command injection in the systeminformation Node.js library (versions prior to 5.30.8) lets attackers run arbitrary OS co
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions t
This affects the package systeminformation before 4.30.2. Rated high severity (CVSS 7.3), this vulnerability is remotely
systeminformation is a System Information Library for Node.JS. Rated critical severity (CVSS 9.8), this vulnerability is
systeminformation is an open source system and OS information library for node.js. Rated critical severity (CVSS 9.8), t
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. R
In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. Rated high severity
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today