Fix CVE–2019–18413

[debricked[bot]]

CVE–2019–18413

Vulnerability details

Description

### Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') > The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. ### NVD > In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product. ### GitHub > SQL Injection and Cross-site Scripting in class-validator > > In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

CVSS details - 9.8

  |CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**High**| |Availability|**High**|

References

    [NVD - CVE-2019-18413](https://nvd.nist.gov/vuln/detail/CVE-2019-18413)[](https://nvd.nist.gov/vuln/detail/CVE-2019-18413)     [SQL Injection and Cross-site Scripting in class-validator · CVE-2019-18413 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-fj58-h2fr-3pp2)[](https://github.com/advisories/GHSA-fj58-h2fr-3pp2)     [fix: default settings allows arbitrary bypass vulnerability · Issue #438 · typestack/class-validator · GitHub](https://github.com/typestack/class-validator/issues/438)[](https://github.com/typestack/class-validator/issues/438)     [GitHub - typestack/class-validator: Decorator-based property validation for classes.](https://github.com/typestack/class-validator#passing-options)[](https://github.com/typestack/class-validator#passing-options)     [fix: default settings allows arbitrary bypass vulnerability · Issue #438 · typestack/class-validator · GitHub](https://github.com/typestack/class-validator/issues/438#issuecomment-964728471)[](https://github.com/typestack/class-validator/issues/438#issuecomment-964728471)     [security: SNYK-JS-CLASSVALIDATOR-1730566 · Issue #1422 · typestack/class-validator · GitHub](https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415)[](https://github.com/typestack/class-validator/issues/1422#issuecomment-1344635415)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

[ramogens-OS2]

Automated PR from Debricked. Not sure of the implications and it's reather big, so I'm closing.