CVE-2017-1000048 — Improper Input Validation in Project QS

CWE-20 — Improper Input Validation9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QS Project QS

Timeline

PublishedJul 17

Latest updateApr 30

Description

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶npmqs_project/qs6.1.0 — 6.1.2+3

▶NVDqs_project/qs30 versions+29

🔴Vulnerability Details

OSV

Prototype Pollution Protection Bypass in qs↗2020-04-30

▶

GHSA

Prototype Pollution Protection Bypass in qs↗2020-04-30

▶

CVEList

CVE-2017-1000048: the web framework using ljharb's qs module older than v6↗2017-07-13

▶

📋Vendor Advisories

Red Hat

nodejs-qs: Prototype override protection bypass↗2017-03-01

▶

💬Community

Bugzilla

CVE-2017-1000048 nodejs-qs: Prototype override protection bypass [fedora-all]↗2017-03-01

▶

Bugzilla

CVE-2017-1000048 nodejs-qs: Prototype override protection bypass [epel-6]↗2017-03-01

▶

Bugzilla

CVE-2017-1000048 nodejs-qs: Prototype override protection bypass↗2017-03-01

▶

Bugzilla

CVE-2017-1000048 nodejs-qs: Prototype override protection bypass [epel-7]↗2017-03-01

▶