Valeri Karpov

5 exploits Active since Oct 2019
CVE-2019-17426 WRITEUP CRITICAL WRITEUP
Automattic Mongoose <5.7.4 - Auth Bypass
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
CVSS 9.1
CVE-2020-35149 WRITEUP MEDIUM WRITEUP
mquery <3.2.3 - Code Injection
lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.
CVSS 5.3
CVE-2021-23438 WRITEUP MEDIUM WRITEUP
Mpath < 0.8.4 - Type Confusion
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.
CVSS 5.6
CVE-2022-2564 WRITEUP CRITICAL WRITEUP
automattic/mongoose <6.4.6 - Info Disclosure
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVSS 9.8
CVE-2023-3696 WRITEUP CRITICAL WRITEUP
Mongoose < 5.13.20 - Prototype Pollution
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVSS 9.8