CVE-2024-56334 HIGH

CVE-2024-56334: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation

Vendor Sebhildebrandt
Product systeminformation
Weakness CWE-94 · Code injection
Published December 20, 2024
Last update December 24, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 20, 2024 CVE published
December 24, 2024 Record updated