Read Time:38 Second

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has “deps: qs@6.9.7” in its release description, is not vulnerable).

Read More

More Stories

kernel-6.2.9-100.fc36

FEDORA-2023-d525cf5272 Packages in this update: kernel-6.2.9-100.fc36 Update description: The 6.2.9 stable kernel update contains a number of important fixes across...

kernel-6.2.9-200.fc37

FEDORA-2023-98251cef79 Packages in this update: kernel-6.2.9-200.fc37 Update description: The 6.2.9 stable kernel update contains a number of important fixes across...

kernel-6.2.9-300.fc38

FEDORA-2023-c46eb02bbf Packages in this update: kernel-6.2.9-300.fc38 Update description: The 6.2.9 stable kernel update contains a number of important fixes across...

seamonkey-2.53.16-1.el7

FEDORA-EPEL-2023-7be8f2df20 Packages in this update: seamonkey-2.53.16-1.el7 Update description: Update to 2.53.16 Langpacks are now provided in the modern form of...

Generated by Feedzy