Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
Vulnerability Description
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
systeminformation 操作系统命令注入漏洞
Vulnerability Description
systeminformation是Sebastian Hildebrandt个人开发者的一个可以获得操作系统信息的 Npm 软件库。 systeminformation 5.30.8之前版本存在操作系统命令注入漏洞,该漏洞源于wifiNetworks函数中的网络接口参数未经过清理,可能导致命令注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A