{"id":"CVE-2020-28460","details":"This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.","aliases":["GHSA-67mq-h2r9-rh2m","SNYK-JS-MULTIINI-1053229"],"modified":"2026-05-28T04:05:57.981440159Z","published":"2020-12-22T13:15:12.507Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"2.1.2"}],"source":"CPE_RANGE","cpes":["cpe:2.3:a:multi-ini_project:multi-ini:*:*:*:*:*:node.js:*:*"],"vendor_product":"multi-ini_project:multi-ini"},{"extracted_events":[{"fixed":"2.1.2"}],"source":"DESCRIPTION"}]},"references":[{"type":"FIX","url":"https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/evangelion1204/multi-ini","events":[{"introduced":"0"},{"fixed":"6b2212b2ce152c19538a2431415f72942c5a1bde"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v0.5.2","v0.5.1","v0.5.0","v0.4.1","v0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28460.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}