Improper Input Validation

Affecting systeminformation package, versions <5.6.11

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Improper Input Validation. The function versions doesn't check the input of the user, which is expected a string.

const si = require('systeminformation');
si.versions({toString : () => { console.log("This is a PoC") }});

Remediation

Upgrade systeminformation to version 5.6.11 or higher.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
Credit
Renan Rocha (EffectRenan)
CWE
CWE-20
Snyk ID
SNYK-JS-SYSTEMINFORMATION-1244526
Disclosed
09 Apr, 2021
Published
09 Apr, 2021