CVE-2020-7752
HIGHsysteminformation < 4.27.11 - OS Command Injection via curl Parameter Concatenation
Title source: llmDescription
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
References (3)
Core 3
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1021909
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sebhildebrandt/systeminformation/blob/master/lib/internet.js
Patch, Third Party Advisory x_refsource_misc
https://github.com/sebhildebrandt/systeminformation/commit/931fecaec2c1a7dcc10457bb8cd552d08089da61
Scores
CVSS v3
8.8
EPSS
0.0571
EPSS Percentile
92.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
npm/systeminformation
0 - 4.27.11npm
systeminformation/systeminformation
< 4.27.11
Published
Oct 26, 2020
Tracked Since
Feb 18, 2026