CVE Vulnerability

CVE-2020-7600

querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867 Patch Third Party Advisory
https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:querymen_project:querymen:*:*:*:*:*:*:*:*
Information

Published : 2020-03-12 11:15

Updated : 2022-12-02 07:58

NVD link : CVE-2020-7600

Mitre link : CVE-2020-7600

Products Affected
No products.
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')