Описание
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input.
Ссылки
- Issue TrackingThird Party Advisory
- ExploitThird Party Advisory
- Issue TrackingThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:netease:pomelo:2.2.5:*:*:*:*:*:*:*
EPSS
Процентиль: 62%
0.00429
Низкий
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-668
Связанные уязвимости
CVSS3: 5.3
github
около 6 лет назад
Pomelo allows external control of critical state data
EPSS
Процентиль: 62%
0.00429
Низкий
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-668