We found results for “”
WS-2022-0440
Good to know:
Date: December 30, 2022
HTTP Query String Injection in unjs/unstorage. The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented. When a user controls a key within the cloudflare-kv-http driver the expiration and expiration_ttl parameters can be injected, allowing an attacker to modify the availability of an item. This vulnerability is fairly minor, however in combination with a vulnerability in the cloudflare service, or github, or other HTTP service, sensitive parameters may be injected. There may also be undocumented query string parameters within these services. Path traversals may also be possible in some services which normalise sequences of ../.
Language: TYPE_SCRIPT
Severity Score
Severity Score
Weakness Type (CWE)
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-75Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | LOW |