9.9
CVE-2019-10758
- EPSS 94.36%
- Veröffentlicht 24.12.2019 22:15:11
- Zuletzt bearbeitet 27.10.2025 17:12:23
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
Loginmongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mongo-express Project ≫ Mongo-express SwPlatformnode.js Version < 0.54.0
10.12.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
MongoDB mongo-express Remote Code Execution Vulnerability
Schwachstellemongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.36% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.9 | 3.1 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.9 | 3.1 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.