EUVD-2020-1478

Malware in sbrugna...

1405-authtokens (>=1.0.1 <=1.0.5), 1405_logging (=1.0.0) +3899 more potentially affected by CVE-2020-35149 via mquery (>=0.2.4 <=3.2.2)

mquery NPM version =0.2.4, =1.0.1, =1.0.7, =0.0.1, =0.0.2, =0.3.0, =0.0.1, =0.2.0, =0.0.1, =1.0.16, =1.0.30, =1.0.95 and more Source cves: CVE-2020-35149 Source advisory: OSV:GHSA-45Q2-34RF-MR94...

Prototype Pollution

Overview mquery is an Expressive query building for MongoDB Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. PoC...

CVE-2020-35149

CVE-2020-35149 affects mquery before 3.2.3 via prototype pollution in lib/utils.js, where a special property (e.g., proto ) can be copied during merge or clone, altering object prototypes. Exploitation is described across sources (NVD, Red Hat advisory, Snyk) as a prototype pollution risk that ca...

Mquery Security Vulnerability

Aheckmann Mquery is a Javascript-based codebase for efficiently generating Mongdb query statements from the individual developer Aheckmann. A security vulnerability exists in mquery lib/utils.js versions prior to 3.2.3, which allows contamination attacks because a special attribute e.g. proto can...