mike/systeminformation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
systeminformation/docs/security.html
Sebastian Hildebrandt 95ed380879 chore: updated copyright year
2026-01-03 10:30:21 +01:00

308 lines
17 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- CSS -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
<link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.15.1/css/all.css" integrity="sha384-9ZfPnbegQSumzaE7mks2IYgHoayLtuto3AS6ieArECeaR8nCfliJVuLh/GaQ1gyM" crossorigin="anonymous">
<link rel="stylesheet" href="roboto/css/roboto.css">
<link rel="stylesheet" href="styles.css">
<script src="main.js"></script>
<!-- Favicon -->
<link rel="icon" type="image/png" sizes="192x192" href="/assets/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="/assets/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="/assets/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="/assets/favicon-16x16.png">
<title>systeminformation</title>
</head>
<body>
<nav class="nav">
<div class="container">
<a href="."><img class="logo float-left" src="assets/logo.png" alt="logo">
<div class="title float-left">systeminformation</div>
</a>
<div class="text float-right github"><a href="https://github.com/sebhildebrandt/systeminformation">View on Github <i class="fab fa-github"></i></a></div>
<div class="text float-right todocs"><a href="./#docs">Docs Overview</a></div>
</div>
</nav>
<div class="container-fluid">
<section class="container">
<div class="row">
<div class="col-12 col-md-4 col-lg-3 col-xl-2 menu" id="menu">
</div>
<div class="col-12 col-md-8 col-lg-9 col-xl-10 content">
<div class="row">
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>fsSize Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.27.14<br>
<span class="bold">Date:</span> 2025-12-16<br>
<span class="bold">CVE indentifier</span> CVE-2025-68154
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by manipulating Win32_logicaldisk input in <span class="code">fsSize()</span> on windows machines.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.27.14.</p>
<hr>
<br>
<h2>SSID Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.23.7<br>
<span class="bold">Date:</span> 2024-11-11<br>
<span class="bold">CVE indentifier</span> CVE-2024-56334
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">networkInterfaces()</span> on windows machines.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.23.7.</p>
<hr>
<br>
<h2>Passing User Paramters to Systeminformation</h2>
<p>For most of the applications that are using <span class="code">systeminformation</span>, there is no reason to worry. <span class="bold">But be aware!</span> If you are using <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>, <span class="code">versions()</span> with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!</p>
<p class="warning">This can lead to serious impact on your servers!</p>
<p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>
<hr>
<br>
<h2>SSID Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.21.07 (version 4 is not affected)<br>
<span class="bold">Date:</span> 2023-09-19<br>
<span class="bold">CVE indentifier</span> CVE-2023-42810
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. If you are using version 5, please upgrade to version >= 5.7.21 (version 4 is not affected).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span> (string only)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.6.13 and &lt; 4.34.21<br>
<span class="bold">Date:</span> 2021-05-04<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">dockerImagesInspect()</span>, <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. Please upgrade to version >= 5.6.13 (or >= 4.34.21 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">dockerImagesInspect()</span>, <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span> (string only)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.6.11 and &lt; 4.34.20<br>
<span class="bold">Date:</span> 2021-04-08<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">versions()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. Please upgrade to version >= 5.6.11 (or >= 4.34.20 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">versions()</span> (string only)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.6.4 and &lt; 4.34.17<br>
<span class="bold">Date:</span> 2021-03-15<br>
<span class="bold">CVE indentifier</span> CVE-2021-21388
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.4 (or >= 4.34.17 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>Insufficient File Scheme Validation</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.3.2 and &lt; 4.34.12<br>
<span class="bold">Date:</span> 2021-02-15<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.3.1 and &lt; 4.34.11<br>
<span class="bold">Date:</span> 2021-02-14<br>
<span class="bold">CVE indentifier</span> CVE-2021-21315
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>DOS Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.2.6 and &lt; 4.34.10<br>
<span class="bold">Date:</span> 2021-02-12<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: <span class="code">inetLatency()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.31.1<br>
<span class="bold">Date:</span> 2020-12-11<br>
<span class="bold">CVE indentifier</span> CVE-2020-26274, CVE-2020-28448
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetLatency()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>
<hr>
<br>
<h2>Command Injection Vulnerability - Prototype Pollution</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.30.5<br>
<span class="bold">Date:</span> 2020-11-26<br>
<span class="bold">CVE indentifier</span> CVE-2020-26245
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.27.11<br>
<span class="bold">Date:</span> 2020-10-26<br>
<span class="bold">CVE indentifier</span> CVE-2020-7752
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<footer class="container-fluid footer">
<div class="container">
<div class="row">
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="." class="medium home">Home</a></li>
<li>&nbsp;</li>
<li><a href="security.html">Security Advisories&nbsp;&nbsp;<i class="fas fa-shield-check"></i></a></li>
<li><a href="https://github.com/sebhildebrandt/systeminformation">Github <i class="fab fa-github"></i></a></li>
<li>&nbsp;</li>
<li><a href="https://buymeacoff.ee/systeminfo" class="medium badge bg-primary"><i class="fas fa-coffee"></i>&nbsp;&nbsp;Buy me a coffee</a></li>
</ul>
</div>
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="gettingstarted.html">Quick Start</a></li>
<li><a href="changes.html">Version 5 Changes</a></li>
<li><a href="history.html">Full Version History</a></li>
<li><a href="tests.html">Testing</a></li>
<li><a href="issues.html">Known Issues</a></li>
<li><a href="statsfunctions.html">Stats Functions</a></li>
</ul>
</div>
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="contributors.html">Contributors</a></li>
<li><a href="trademarks.html">Trademarks</a></li>
<li>&nbsp;</li>
<li><a href="copyright.html">Copyright &amp; License&nbsp;&nbsp;<img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT license" /></a></li>
<li><a href="https://www.plus-innovations.com">&copy; 2026 Sebastian Hildebrandt</a></li>
<li><a href="https://www.plus-innovations.com">+innovations GmbH</a></li>
</ul>
</div>
</div>
</div>
</footer>
<script>
window.onload = function (e) {
createMenu();
}
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink