Vulnerability Details CVE-2020-28460
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.4%
CVSS Severity
CVSS v3 Score 5.6
CVSS v2 Score 7.5
References
Products affected by CVE-2020-28460
-
cpe:2.3:a:multi-ini_project:multi-ini:0.0.1
-
cpe:2.3:a:multi-ini_project:multi-ini:0.1.0
-
cpe:2.3:a:multi-ini_project:multi-ini:0.1.1
-
cpe:2.3:a:multi-ini_project:multi-ini:0.1.2
-
cpe:2.3:a:multi-ini_project:multi-ini:0.2.1
-
cpe:2.3:a:multi-ini_project:multi-ini:0.2.2
-
cpe:2.3:a:multi-ini_project:multi-ini:0.2.3
-
cpe:2.3:a:multi-ini_project:multi-ini:0.2.4
-
cpe:2.3:a:multi-ini_project:multi-ini:0.2.5
-
cpe:2.3:a:multi-ini_project:multi-ini:0.4.0
-
cpe:2.3:a:multi-ini_project:multi-ini:0.4.1
-
cpe:2.3:a:multi-ini_project:multi-ini:0.5.0
-
cpe:2.3:a:multi-ini_project:multi-ini:0.5.1
-
cpe:2.3:a:multi-ini_project:multi-ini:0.5.2
-
cpe:2.3:a:multi-ini_project:multi-ini:1.0.0
-
cpe:2.3:a:multi-ini_project:multi-ini:1.0.1
-
cpe:2.3:a:multi-ini_project:multi-ini:2.0.0
-
cpe:2.3:a:multi-ini_project:multi-ini:2.1.0
-
cpe:2.3:a:multi-ini_project:multi-ini:2.1.1