{"vulnerability": "CVE-2020-2849", "sightings": [{"uuid": "aae7dbc3-43f7-4d5d-a181-cfcf4eaccfea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2020-28493", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0395/", "content": "", "creation_timestamp": "2026-04-02T17:00:00.000000Z"}, {"uuid": "2c92b170-9e94-40aa-95aa-5583477a54b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28495", "type": "seen", "source": "https://t.me/cibsecurity/22939", "content": "\u203c CVE-2020-28495 \u203c\n\nThis affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-02T15:25:06.000000Z"}, {"uuid": "c6df43c1-b096-4570-a2bf-263444e57baa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28496", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/23801", "content": "\u203c CVE-2020-28496 \u203c\n\nThis affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = \"rgb(\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"\"; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+\" ms\")\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T18:50:12.000000Z"}, {"uuid": "867b5fcd-1bd4-41fa-91c1-9f638e5837c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28490", "type": "seen", "source": "https://t.me/cibsecurity/23811", "content": "\u203c CVE-2020-28490 \u203c\n\nThe package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb')\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T18:50:22.000000Z"}, {"uuid": "cd836e33-5adf-47d8-963d-dabd087533f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28491", "type": "seen", "source": "https://t.me/cibsecurity/23808", "content": "\u203c CVE-2020-28491 \u203c\n\nThis affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T18:50:19.000000Z"}, {"uuid": "d93cb930-aeec-4c41-a056-24250b86563b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28498", "type": "seen", "source": "https://t.me/cibsecurity/22969", "content": "\u203c CVE-2020-28498 \u203c\n\nAll versions of package elliptic are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-02T22:39:56.000000Z"}, {"uuid": "b483ee22-7d0c-430f-bde1-9393f0994fd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28493", "type": "seen", "source": "https://t.me/cibsecurity/22924", "content": "\u203c CVE-2020-28493 \u203c\n\nThis affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-01T23:25:05.000000Z"}, {"uuid": "0d8bfbbf-e689-49ee-9fc6-be292dec0f5a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-28494", "type": "seen", "source": "https://t.me/cibsecurity/22937", "content": "\u203c CVE-2020-28494 \u203c\n\nThis affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-02T15:25:03.000000Z"}]}