Mongo-express before 0.54.0 Insufficient Information Vulnerability

Summary

Mongo-express before 0.54.0 suffers from insufficient information vulnerability

Credit:

The information has been provided by Jonathan Leitschuh

The original article can be found at:https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215


Details

Mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

 

Vulnerable Systems:

Mongo-express before 0.54.0 

 

CVE Information:

CVE-2019-10758

 

Disclosure Timeline:
Published Date:12/24/2019

Categories: News