Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)
- Severity:
- High
Description
The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.
Recommendation
Update the systeminformation package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.23.6
- Patched version(s): 5.23.7
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Command Injection Vulnerability - CVE-2021-21315
- Tags:
- npm
- systeminformation
Anything's wrong? Let us know Last updated on December 20, 2024