RSS   Vulnerabilities for 'QS'   RSS

2022-03-17
 
CVE-2021-44907

NVD-CWE-noinfo
 

 
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

 
2017-07-17
 
CVE-2017-1000048

CWE-20
 

 
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

 


Copyright 2024, cxsecurity.com

 

Back to Top