CVE-2020-7752

Опубликовано: 26 окт. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

Ссылки

https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js
Exploit
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909
Exploit
Patch
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js
Exploit
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*

Версия до 4.27.11 (исключая)

EPSS

Процентиль: 87%

0.03143

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-94xh-2fmc-xf5j