Description

querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

Remediation

References

https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867

https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef

Related Vulnerabilities

CVE-2021-21306 Vulnerability in maven package org.webjars.npm:marked

CVE-2021-42340 Vulnerability in maven package org.apache.tomcat:tomcat-websocket

CVE-2020-15256 Vulnerability in npm package object-path

CVE-2019-25155 Vulnerability in maven package org.webjars.npm:dompurify

CVE-2020-7637 Vulnerability in npm package class-transformer

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Third Party Advisory Exploit