systeminformation 5.19.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the systeminformation package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection via the `fsSize` function when the `drive` parameter is concatenated into a PowerShell command without proper sanitization. An attacker can execute arbitrary commands on the underlying Windows system by supplying crafted input to the `drive` parameter. ##Workaround This vulnerability could be mitigated by applying `util.sanitizeShellString()` to the `drive` parameter, consistent with other functions in the codebase. How to fix Command Injection? Upgrade `systeminformation` to version 5.27.14 or higher.	<5.27.14
M Arbitrary Code Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Arbitrary Code Injection through the `getWindowsIEEE8021x()` function. An attacker can execute arbitrary commands on the system by injecting malicious commands into an SSID and convincing a user to connect to it. The function then passes this value to the command line without proper sanitization. Note: This is only exploitable on Windows. How to fix Arbitrary Code Injection? Upgrade `systeminformation` to version 5.23.8 or higher.	<5.23.8
C Arbitrary Command Injection systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Arbitrary Command Injection via the `wifiConnections()` and `wifiNetworks()` functions. An attacker can inject malicious commands by crafting detected SSIDs. How to fix Arbitrary Command Injection? Upgrade `systeminformation` to version 5.21.7 or higher.	>=5.0.0 <5.21.7

Vulnerability

Vulnerable Version

Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Command Injection via the fsSize function when the drive parameter is concatenated into a PowerShell command without proper sanitization. An attacker can execute arbitrary commands on the underlying Windows system by supplying crafted input to the drive parameter.

##Workaround

This vulnerability could be mitigated by applying util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase.

How to fix Command Injection?

Upgrade systeminformation to version 5.27.14 or higher.

<5.27.14

Arbitrary Code Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Arbitrary Code Injection through the getWindowsIEEE8021x() function. An attacker can execute arbitrary commands on the system by injecting malicious commands into an SSID and convincing a user to connect to it. The function then passes this value to the command line without proper sanitization.

Note: This is only exploitable on Windows.

How to fix Arbitrary Code Injection?

Upgrade systeminformation to version 5.23.8 or higher.

<5.23.8

Arbitrary Command Injection

systeminformation is a simple system and OS information library.

Affected versions of this package are vulnerable to Arbitrary Command Injection via the wifiConnections() and wifiNetworks() functions. An attacker can inject malicious commands by crafting detected SSIDs.

How to fix Arbitrary Command Injection?

Upgrade systeminformation to version 5.21.7 or higher.

>=5.0.0 <5.21.7

systeminformation@5.19.0 vulnerabilities

Advanced, lightweight system and OS information library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically