CVE-2020-28461

EUVD-2022-6376
This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
js-ini_projectjs-ini
𝑥
< 1.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e
https://security.snyk.io/vuln/SNYK-JS-JSINI-1048970
https://github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e
https://security.snyk.io/vuln/SNYK-JS-JSINI-1048970