CVE-2020-7788

critical

Description

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

References

Advisories
More

https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

https://snyk.io/vuln/SNYK-JS-INI-1048974

Details

Source: Mitre, NVD

Published: 2020-12-11

Updated: 2022-12-02

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00291

Detections

Analytics