Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in sebhildebrandt/systeminformation


Reported on

Apr 8th 2021

✍️ Description

The systeminformation package is vulnerable to Improper Input Validation through versions function.

🕵️‍♂️ Proof of Concept

// PoC.js

const si = require('systeminformation');
si.versions({toString : () => { console.log("This is a PoC") }});

💥 Impact

This vulnerability allows attackers to send an object instead of a string, which may lead to Code injection, DoS, etc.


to join this conversation