Description

querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

Remediation

References

https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef

https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867

Related Vulnerabilities

CVE-2022-27772 Vulnerability in maven package org.springframework.boot:spring-boot

CVE-2023-30527 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth

CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles: org.openhab.binding.bosesoundtouch

CVE-2021-41561 Vulnerability in maven package org.apache.parquet:parquet

CVE-2020-17527 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Exploit Third Party Advisory Patch