Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wMjNjLXA4dzItd3c1ds4AArtd
Prototype Pollution in querymen
All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of CVE-2020-7600.
Permalink: https://github.com/advisories/GHSA-p23c-p8w2-ww5vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMjNjLXA4dzItd3c1ds4AArtd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-p23c-p8w2-ww5v, CVE-2022-25871
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25871
- https://snyk.io/vuln/SNYK-JS-QUERYMEN-2391488
- https://github.com/advisories/GHSA-p23c-p8w2-ww5v
Affected Packages
npm:querymen
Dependent packages: 12Dependent repositories: 228
Downloads: 13,151 last month
Affected Version Ranges: <= 2.1.4
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4