Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-42810: wifi sanitizing ssid names · sebhildebrandt/systeminformation@7972565

systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only).

CVE
#vulnerability#nodejs#js#wifi

Expand Up

@@ -49,6 +49,24 @@ <h2>Passing User Paramters to Systeminformation</h2>

<p class="warning">This can lead to serious impact on your servers!</p>

<p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>

<h2>SSID Command Injection Vulnerability</h2>

<p><span class="bold">Affected versions:</span>

< 5.21.07 and < 4.34.22<br>

<span class="bold">Date:</span> 2023-09-19<br>

<span class="bold">CVE indentifier</span> -

</p>

<h4>Impact</h4>

<p>We had an issue that there was a possibility to perform a potential command injection possibility by crafting detected SSIDs in <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span>.</p>

<h4>Patch</h4>

<p>Problem was fixed with parameter checking. Please upgrade to version >= 5.7.21 (or >= 4.34.22 if you are using version 4).</p>

<h4>Workaround</h4>

<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">wifiConnections()</span>, <span class="code">wifiNetworks()</span> (string only)</p>

<hr>

<br>

<h2>Command Injection Vulnerability</h2>

<p><span class="bold">Affected versions:</span>

< 5.6.13 and < 4.34.21<br>

Expand Down Expand Up

@@ -255,4 +273,4 @@ <h4>Workaround</h4>

</script>

</body>

</html>

</html>

Related news

GHSA-gx6r-qc2v-3p3v: systeminformation SSID Command Injection Vulnerability

### Impact SSID Command Injection Vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.21.7, Version 4 was not affected ### Workarounds If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks() (string only) ### References See also https://systeminformation.io/security.html

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907