Severity: Medium2023-02-03
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v5.0.1 and older | Medium | Oxygen Content Fusion 5.0.2 build 2022121305 |
CVE-2022-24999
Severity: High
CVSS Score: 7.5
The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.
This website was created & generated with <oXygen/>®XML Editor
