| Titre | CodeGenieApp serverless-express <=4.17.1 Property Injection |
|---|
| Description | The application's /users endpoint accepts arbitrary JSON in the filter query parameter and uses it to dynamically access object properties without validation. This allows authenticated attackers to enumerate database schema, inspect prototype chains, and perform reconnaissance against the application's data structures. While currently limited to information disclosure, this vulnerability provides attackers with valuable schema knowledge that can facilitate targeted attacks. |
|---|
| La source | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/19 |
|---|
| Utilisateur | Ana10gy (UID 93358) |
|---|
| Soumission | 01/03/2026 00:27 (il y a 2 mois) |
|---|
| Modérer | 11/03/2026 17:51 (11 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 350474 [CodeGenieApp serverless-express jusqu’à 4.17.1 Users Endpoint utils/dynamodb.ts filter élévation de privilèges] |
|---|
| Points | 20 |
|---|