3 matches found
Incomplete List of Disallowed Inputs
Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray method, which allowlists an array based only on clazz.isArray and does not validate the array's component type. An attacker who...
Command Injection
systeminformation is vulnerable to command injection. An attacker is able to pass a string as an array to bypass validation and execute arbitrary commands through the following functions: inetLatency, inetChecksite, services, processLoad...
CVE-2020-28460 Prototype Pollution
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448...