Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjZjItMjM4My1oNGp2
Improperly Controlled Modification of Dynamically-Determined Object Attributes in querymen
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
Permalink: https://github.com/advisories/GHSA-2cf2-2383-h4jvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjZjItMjM4My1oNGp2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-2cf2-2383-h4jv, CVE-2020-7600
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7600
- https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef
- https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867
- https://github.com/advisories/GHSA-2cf2-2383-h4jv
Blast Radius: 12.5
Affected Packages
npm:querymen
Dependent packages: 12Dependent repositories: 228
Downloads: 13,151 last month
Affected Version Ranges: < 2.1.4
Fixed in: 2.1.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3
All unaffected versions: 2.1.4