CVE-2020-26245
Last modified
CVE-2020-26245 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. EPSS estimates a 1.93% chance of exploitation in the next 30 days.
Description
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Systeminformation | Systeminformation | < 4.30.5 |
References
- https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016Patch, Third Party Advisory
- https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26245?
How severe is CVE-2020-26245?
How do I fix CVE-2020-26245?
Are you affected by CVE-2020-26245?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST