CVE-2020-7600 – querymen

Package

Manager: npm
Name: querymen
Vulnerable Version: >=0 <2.1.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00319 pctl0.54395

Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes in querymen querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

Metadata

Created: 2021-05-07T16:16:43Z
Modified: 2021-07-28T18:46:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2cf2-2383-h4jv/GHSA-2cf2-2383-h4jv.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-2cf2-2383-h4jv
Finding: F390
Auto approve: 1