Sebhildebrandt

**Name of the Vulnerable Software and Affected Versions** systeminformation versions 5.0.0 through 5.21.6 **Description** The systeminformation library for Node.JS has a SSID Command Injection Vulnerability. This issue affects versions 5.0.0 through 5.21.6. The problem was fixed with a parameter check in version 5.21.7. The vulnerability can be exploited through the `wifiConnections()` and `wifiNetworks()` functions, specifically when passing string parameters. It is estimated that the library has 8 monthly downloads, potentially affecting a significant number of devices. **Recommendations** For versions 5.0.0 through 5.21.6, upgrade to version 5.21.7 or later to resolve the issue. As a temporary workaround for versions 5.0.0 through 5.21.6, check or sanitize parameter strings that are passed to `wifiConnections()` and `wifiNetworks()` (string only).

**Name of the Vulnerable Software and Affected Versions** systeminformation versions prior to 5.6.4 **Description** A command injection issue has been discovered in the systeminformation library for Node.js. This issue is related to errors in passing data to parameters of services such as `si.inetLatency`, `si.inetChecksite`, `si.services`, and `si.processLoad`. Exploitation of this issue could allow a remote attacker to execute arbitrary code. The problem has been fixed with a parameter check on user input. **Recommendations** For versions prior to 5.6.4, upgrade to version >= 5.6.4. If you cannot upgrade, check or sanitize service parameters that are passed to functions like `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, and `si.processLoad()`, allowing only strings and rejecting any arrays.

**Name of the Vulnerable Software and Affected Versions** systeminformation versions prior to 4.31.1 **Description** The issue is a command injection vulnerability. It was fixed with a shell string sanitation fix. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 4.31.1, upgrade to version 4.31.1 or later to resolve the issue. As a temporary workaround, consider checking or sanitizing service parameter strings that are passed to `si.inetLatency()`.

**Name of the Vulnerable Software and Affected Versions** systeminformation versions prior to 4.30.5 **Description** The issue is a command injection vulnerability caused by prototype pollution. It was fixed with a rewrite of shell sanitations to avoid prototype pollution problems. **Recommendations** For versions prior to 4.30.5, upgrade to version 4.30.5 or later. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to `si.inetChecksite()`.

**Name of the Vulnerable Software and Affected Versions** systeminformation versions prior to 4.26.2 **Description** The issue is a command injection vulnerability. It was fixed with a shell string sanitation fix. **Recommendations** For versions prior to 4.26.2, upgrade to version 4.26.2 or later to resolve the issue. As a temporary workaround, consider checking or sanitizing service parameter strings that are passed to `is.services()`, `is.inetChecksite()`, `si.inetLatency()`, `si.networkStats()`, `is.services()`, and `si.processLoad()`.