6 matches found
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control in some applications because any query object with a bsontype attribute is ignored. For example, adding "bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around...
GHSA-RC4V-99CR-PJCM Prototype Pollution in ali-security/mongoose
Impact This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate. For applications using Express and EJS, this can potentially allow remote code execution. Patches The original patched version for mongoose 5.3.3 did not include a fix for...
Prototype Pollution in ali-security/mongoose
Impact This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate. For applications using Express and EJS, this can potentially allow remote code execution. Patches The original patched version for mongoose 5.3.3 did not include a fix for...
01runmodel (>=1.0.3 <=1.0.4), 18a58t9c-upload (>=1.0.0 <=1.0.3) +5655 more potentially affected by CVE-2019-17426 via mongoose (>=5.0.0 <=5.7.4)
mongoose NPM version =5.0.0, =1.0.3, =1.0.0, =1.0.0, =0.20.0, =1.0.4, =1.1.0, =0.1.0, =0.3.5, =0.17.9 and more Source cves: CVE-2019-17426 Source advisory: OSV:GHSA-8687-VV9J-HGPH...
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control in some applications because any query object with a bsontype attribute is ignored. For example, adding "bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around...
CVE-2019-17426
Automattic Mongoose up to version 5.7.4 is affected. The root cause is that a query object containing a _bsontype attribute is ignored, which can bypass access control in some applications (e.g., a query filter interference with _bsontype). The CVE covers this behavior in older versions of the bs...