{"id":"CVE-2020-28460","details":"This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.","aliases":["GHSA-67mq-h2r9-rh2m"],"modified":"2026-04-10T04:25:47.815442Z","published":"2020-12-22T13:15:12.507Z","related":["SNYK-JS-MULTIINI-1053229"],"references":[{"type":"FIX","url":"https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/evangelion1204/multi-ini","events":[{"introduced":"0"},{"fixed":"6b2212b2ce152c19538a2431415f72942c5a1bde"}]},{"type":"GIT","repo":"https://github.com/evangelion1204/multi-ini","events":[{"introduced":"0"},{"fixed":"6b2212b2ce152c19538a2431415f72942c5a1bde"}]}],"versions":["v0.4.0","v0.4.1","v0.5.0","v0.5.1","v0.5.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28460.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.1.2"}]},{"events":[{"introduced":"0"},{"fixed":"2.1.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}