CVE-2020-26245: OS Command Injection
First published: Fri Nov 27 2020(Updated: )
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Systeminformation Systeminformation | <4.30.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-26245?
CVE-2020-26245 is a vulnerability in the npm package systeminformation before version 4.30.5.
What is the severity of CVE-2020-26245?
The severity of CVE-2020-26245 is critical with a score of 9.8.
How does CVE-2020-26245 affect the system?
CVE-2020-26245 allows attackers to perform Command Injection through Prototype Pollution.
How can I fix CVE-2020-26245?
The issue can be fixed by upgrading the systeminformation npm package to version 4.30.5 or higher.
Where can I find more information about CVE-2020-26245?
You can find more information about CVE-2020-26245 on the GitHub page of systeminformation and the associated security advisory.
- collector/nvd-index
- vendor/systeminformation
- canonical/systeminformation systeminformation