CVE-2019-10758
CRITICAL WAF: Medium
CVSS 9.9
Published: 2019-12-24
CWE-94
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| mongo-express_project | mongo-express | up to 0.54.0 |
References
- snyk.io (Exploit, Third Party Advisory)
- www.cisa.gov (US Government Resource)