CVE-2020-7600 Vulnerability in npm package querymen

Description

querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

Remediation

References

https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef

https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867

Related Vulnerabilities

CVE-2021-32859 Vulnerability in maven package org.webjars.npm:github-com-baremetrics-calendar

CVE-2020-7656 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery

CVE-2020-35202 Vulnerability in maven package org.igniterealtime.openfire.plugins:dbaccess

CVE-2015-6584 Vulnerability in maven package org.webjars:datatables

CVE-2021-39157 Vulnerability in npm package detect-character-encoding

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N