CVE-2020-28460

Опубликовано: 22 дек. 2020

Источник: nvd

CVSS3: 5.6

CVSS3: 8.1

CVSS2: 7.5

EPSS Низкий

Описание

This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.

Ссылки

https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229
Exploit
Third Party Advisory
https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:multi-ini_project:multi-ini:*:*:*:*:*:node.js:*:*

Версия до 2.1.2 (исключая)

EPSS

Процентиль: 67%

0.0053

Низкий

5.6 Medium

CVSS3

8.1 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

GHSA-67mq-h2r9-rh2m

CVSS3: 5.6

github

почти 5 лет назад

Prototype pollution in multi-ini

EPSS

Процентиль: 67%

0.0053

Низкий

5.6 Medium

CVSS3

8.1 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321