Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Command Injection in fsSize() on Windows
Vulnerability Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
systeminformation 操作系统命令注入漏洞
Vulnerability Description
systeminformation是Sebastian Hildebrandt个人开发者的一个可以获得操作系统信息的 Npm 软件库。 systeminformation 5.27.14之前版本存在操作系统命令注入漏洞,该漏洞源于fsSize函数存在OS命令注入漏洞,可能导致任意命令执行。
CVSS Information
N/A
Vulnerability Type
N/A