1. Home
  2. CVE Database
  3. CVE-2019-18413
LOW · 3.7

CVE-2019-18413

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidU...

Vulnerability Description

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Typestack Class-Validator ProjectTypestack Class-Validator0.10.2

Related Weaknesses (CWE)

CWE-89CWE-79

References

FAQ

What is CVE-2019-18413?

CVE-2019-18413 is a vulnerability with a CVSS score of 3.7 (LOW). In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidU...

How severe is CVE-2019-18413?

CVE-2019-18413 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18413?

Check the references section above for vendor advisories and patch information. Affected products include: Typestack Class-Validator Project Typestack Class-Validator.