Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)
- Severity:
- High
Description
The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.
Recommendation
Update the systeminformation package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.23.6
- Patched version(s): 5.23.7
References
Related Issues
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Tags:
- npm
- systeminformation
Anything's wrong? Let us know Last updated on December 20, 2024