Miggo Logo

CVE-2020-7778: OS Command Injection in systeminformation

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.77092%
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
systeminformationnpm< 4.30.24.30.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from prototype pollution affecting string processing functions used in OS command construction. Key functions identified:

  1. inetChecksite - Directly processes user-controlled URLs passed to curl
  2. sanitizeShellString - Core sanitation method vulnerable to String prototype overrides
  3. Network/process functions - Interface with system commands using unsafely sanitized inputs Patches show added prototype pollution checks (isPrototypePolluted) and safer character-by-character sanitization, confirming these were vulnerable entry points. Runtime exploitation would show these functions processing malicious inputs before command execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** syst*min*orm*tion ***or* *.**.*. T** *tt**k*r **n ov*rwrit* t** prop*rti*s *n* *un*tions o* *n o*j**t, w*i** **n l*** to *x**utin* OS *omm*n*s.

Reasoning

T** vuln*r**ility st*ms *rom prototyp* pollution *****tin* strin* pro**ssin* *un*tions us** in OS *omm*n* *onstru*tion. K*y *un*tions i**nti*i**: *. in*t****ksit* - *ir**tly pro**ss*s us*r-*ontroll** URLs p*ss** to *url *. s*nitiz*S**llStrin* - *or*