CVSS: 9.8EPSS: 47%CPEs: 1EXPL: 0CVE-2020-24391
https://notcve.org/view.php?id=CVE-2020-24391
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769. mongo-express en versiones anteriores a la 1.0.0 ofrece soporte para cierta sintaxis avanzada pero lo implementa de una manera insegura. NOTA: esto puede superponerse a CVE-2019-10769. • https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a https://github.com/mongodb-js/query-parser/issues/16 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29579
https://notcve.org/view.php?id=CVE-2020-29579
The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. Las imágenes oficiales de Docker Express Gateway versiones anteriores a 1.14.0, contienen una contraseña en blanco para un usuario root. Los sistemas que utilizan el contenedor Docker Express Gateway implementado por las versiones afectadas de la imagen de Docker pueden permitir a un atacante remoto lograr un acceso root • https://github.com/koharin/koharin2/blob/main/CVE-2020-29579 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7767 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7767
All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls. Todas las versiones de los validadores rápidos de paquetes son vulnerables a la Denegación de servicio de expresiones regulares (ReDoS) al validar URL no válidas específicamente diseñadas • https://snyk.io/vuln/SNYK-JS-EXPRESSVALIDATORS-1017404 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 3CVE-2020-7699 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-7699
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. Esto afecta el paquete express-fileupload versiones anteriores a 1.1.8. Si la opción parseNested está habilitada, el envío de una petición HTTP corrupta puede conllevar a una denegación de servicio o una ejecución de código arbitraria • https://github.com/ossf-cve-benchmark/CVE-2020-7699 https://github.com/richardgirges/express-fileupload/issues/236 https://security.netapp.com/advisory/ntap-20200821-0003 https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7616
https://notcve.org/view.php?id=CVE-2020-7616
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. express-mock-middleware versiones hasta 0.0.6, es vulnerable a una Contaminación de Prototipos. Las funciones exportadas por el paquete pueden ser engañadas para agregar o modificar propiedades del "Object.prototype". • https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39 https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •