Advisories for Npm/Systeminformation package

The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. Affected Platforms: Windows only CVSS Breakdown: Attack Vector (AV:N): Network - if used in a web application/API Attack Complexity (AC:H): High - requires application to pass user input to fsSize() Privileges Required …

The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.

Impact SSID Command Injection Vulnerability Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.21.7, Version 4 was not affected Workarounds If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only) References See also https://systeminformation.io/security.html

systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation there is a command injection vulnerability. Problem was fixed with a shell string sanitation fix.

systeminformation is an open source system and OS information library for node.Please upgrade to If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected.

command injection vulnerability

systeminformation suffers from a command injection vulnerability.

npm package systeminformation is vulnerable to Prototype Pollution leading to Command Injection.If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

This affects the package systeminformation The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

The systeminformation package is vulnerable to Command Injection. An attacker can concatenate the curl command's parameters to overwrite Javascript files and then execute any OS commands.