Passing User Paramters to Systeminformation
-For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!
+For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad(), versions() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!
This can lead to serious impact on your servers!
We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing "systeminformation": "^4" in your package.json (dependencies) and run npm install
+Command Injection Vulnerability
+Affected versions:
+ < 5.6.11 and < 4.34.20
+ Date: 2021-04-08
+ CVE indentifier -
+
Impact
+We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the versions().
+ +Patch
+Problem was fixed with parameter checking. Please upgrade to version >= 5.6.11 (or >= 4.34.20 if you are using version 4).
+ +Workarround
+If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to versions() (string only)
++
Command Injection Vulnerability
Affected versions:
< 5.6.4 and < 4.34.17
diff --git a/docs/v4/index.html b/docs/v4/index.html
index 770659a..7e7f2d5 100644
--- a/docs/v4/index.html
+++ b/docs/v4/index.html
@@ -165,12 +165,12 @@
Update to v4.34.17 + Security advisory:
Update to v4.34.20
Passing User Paramters to Systeminformation
-For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!
+For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad(), versions() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!
This can lead to serious impact on your servers!
We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing "systeminformation": "^4" in your package.json (dependencies) and run npm install
+Command Injection Vulnerability
+Affected versions:
+ < 4.34.20
+ Date: 2021-04-08
+ CVE indentifier -
+
Impact
+We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the versions().
+ +Patch
+Problem was fixed with parameter checking. Please upgrade to version >= 4.34.20 if you are using version 4.
+ +Workarround
+If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to versions() (string only)
++
Command Injection Vulnerability
Affected versions:
< 4.34.17