CVE-2017-20160 – express-param

Package

Manager: npm
Name: express-param
Vulnerable Version: >=0 <1.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00072 pctl0.22636

Details

express-param vulnerable to Improper Handling of Extra Parameters A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file `lib/fetchParams.js`. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0 can address this issue. The name of the patch is db94f7391ad0a16dcfcba8b9be1af385b25c42db. It is recommended to upgrade the affected component. The identifier VDB-217149 was assigned to this vulnerability.

Metadata

Created: 2022-12-31T21:30:20Z
Modified: 2023-01-09T21:59:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-fr54-72wr-cqvq/GHSA-fr54-72wr-cqvq.json
CWE IDs: ["CWE-235"]
Alternative ID: GHSA-fr54-72wr-cqvq
Finding: F067
Auto approve: 1