Vulnerability Description
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Conf-Cfg-Ini Project | Conf-Cfg-Ini | < 1.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168aPatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973ExploitThird Party Advisory
- https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168aPatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973ExploitThird Party Advisory
FAQ
What is CVE-2020-28441?
CVE-2020-28441 is a vulnerability with a CVSS score of 7.3 (HIGH). This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This c...
How severe is CVE-2020-28441?
CVE-2020-28441 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28441?
Check the references section above for vendor advisories and patch information. Affected products include: Conf-Cfg-Ini Project Conf-Cfg-Ini.