Moderate severityNVD Advisory· Published Nov 27, 2020· Updated Aug 4, 2024
Prototype Pollution leading to Command Injection in systeminformation
CVE-2020-26245
Description
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
systeminformationnpm | < 4.30.5 | 4.30.5 |
Affected products
2- Range: < 4.30.5
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4v2w-h9jm-mqjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26245ghsaADVISORY
- github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016ghsax_refsource_MISCWEB
- github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.