#VU26151 Prototype pollution in minimist


Published: 2020-03-18 | Updated: 2020-07-22

Vulnerability identifier: #VU26151

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7598

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
minimist
Web applications / Modules and components for CMS

Vendor: Gived.Org

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
The vendor has issued the following versions to address this vulnerability: 1.2.3.

Vulnerable software versions

minimist: 0.0.0 - 1.2.2

Fixed software versions

CPE

External links
http://www.npmjs.com/advisories/1179

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Data Synchronization App
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in IBM Intelligent Operations Center
Multiple vulnerabilities in IBM Cognos Analytics
Multiple vulnerabilities in IBM Engineering Requirements Quality Assistant On-Premises
Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM
Multiple vulnerabilities in OpenShift Container Platform 4.6
Red Hat Software Collections update for rh-nodejs10-nodejs
Red Hat Software Collections update for rh-nodejs12-nodejs
OpenSUSE Linux update for nodejs8