Description
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
Remediation
References
https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867
https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef
Related Vulnerabilities
CVE-2019-12400 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2022-25916 Vulnerability in npm package mt7688-wiscan
CVE-2023-25826 Vulnerability in maven package net.opentsdb:opentsdb
CVE-2023-29507 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2017-5662 Vulnerability in maven package batik:batik-dom