CVE-2020-7752
HIGH8.8EPSS 3.1%systeminformation command injection vulnerability
發布日:2020/10/27修改日:2026/6/1
描述
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
受影響套件(2)
- Debian/node-systeminformationfrom 0
- npm/systeminformationfrom 0, < 4.27.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7752
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-7752
- PATCHhttps://github.com/sebhildebrandt/systeminformation
- WEBhttps://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61
- WEBhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-94xh-2fmc-xf5j
- WEBhttps://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909
- WEBhttps://www.npmjs.com/package/systeminformation