CVE-2016-10533

EPSS 1.4%CWE-200

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

31 mai 2018Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all the passwords for all the users in the database, despite the field being set to private. This can be used for other private data if the malicious user knew what was set as private for specific routes.

Produtos afetados

HackerOne · express-restify-mongoose node module

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/florianholzapfel/express-restify-mongoose/issues/252 https://nodesecurity.io/advisories/92