CVE-2019-18413 LOW

CVE-2019-18413

Vendor N/A
Product n/a
Published October 24, 2019
Last update August 5, 2024

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AC:H/AV:N/A:N/C:N/I:L/PR:N/S:U/UI:N

What the vulnerability does

01Description

In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Key dates

02Disclosure timeline

October 24, 2019 CVE published
August 5, 2024 Record updated