Vulnerabilities > CVE-2019-18954 - Exposure of Resource to Wrong Sphere vulnerability in Netease Pomelo 2.2.5

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

netease

CWE-668

NVD

Published: 2019-11-14

Updated: 2020-08-24

Summary

Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input.

Vulnerable Configurations

Part	Description	Count
Application	Netease Netease Pomelo 2.2.5	1

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

References

https://github.com/cl0udz/vulnerabilities/tree/master/pomelo-critical-state-manipulation
https://github.com/NetEase/pomelo/issues/1149