CVE-2019-18954

Name of the Vulnerable Software and Affected Versions Pomelo version 2.2.5

Description The issue allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. This enables a malicious attacker to manipulate internal attributes by adding additional attributes to user input.

Recommendations For Pomelo version 2.2.5, as a temporary workaround, consider restricting user input to prevent the addition of conflicting attributes that could overwrite internal attributes in the entryHandler.js file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.