Description
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867
Scores
CVSS v3
5.3
EPSS
0.0032
EPSS Percentile
55.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-1321
Status
published
Products (2)
npm/querymen
0 - 2.1.4npm
querymen_project/querymen
< 2.1.4
Published
Mar 12, 2020
Tracked Since
Feb 18, 2026