9.1
CVE-2024-53900
- EPSS 3.91%
- Veröffentlicht 02.12.2024 20:15:08
- Zuletzt bearbeitet 01.10.2025 18:24:19
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mongoosejs ≫ Mongoose SwPlatformnode.js Version < 6.13.5
Mongoosejs ≫ Mongoose SwPlatformnode.js Version >= 7.0.1 < 7.8.3
Mongoosejs ≫ Mongoose SwPlatformnode.js Version >= 8.0.1 < 8.8.3
Mongoosejs ≫ Mongoose Version7.0.0 Updaterc0 SwPlatformnode.js
Mongoosejs ≫ Mongoose Version8.0.0 Updaterc0 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.91% | 0.889 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
https://github.com/Automattic/mongoose/releases
https://github.com/advisories/GHSA-m7xq-9374-9rvx
https://www.npmjs.com/package/mongoose?activeTab=versions