Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-37616

Опубликовано: 11 окт. 2022
Источник: debian
EPSS Низкий

Описание

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

Пакеты

ПакетСтатусВерсия исправленияРелизТип
node-xmldomfixed0.8.3-1package
node-xmldomfixed0.5.0-1+deb11u1bullseyepackage

Примечания

  • https://github.com/xmldom/xmldom/issues/436

  • https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj

  • Fixed by: https://github.com/xmldom/xmldom/commit/6956ec406fd4658dfb028a327c7a39238b24c3cd (0.9.0-beta.2)

  • Fixed by: https://github.com/xmldom/xmldom/commit/7c0d4b7fbf74079060a2f135a369adeeccaf4b18 (0.8.3)

EPSS

Процентиль: 80%
0.0141
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2022-37616

CVSS3: 9.8
ubuntu
больше 3 лет назад

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

nvd логотип

CVE-2022-37616

CVSS3: 9.8
nvd
больше 3 лет назад

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

msrc логотип

CVE-2022-37616

CVSS3: 9.8
msrc
больше 1 года назад

Описание отсутствует

github логотип

GHSA-9pgh-qqpf-7wqj

CVSS3: 9.8
github
больше 3 лет назад

Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

EPSS

Процентиль: 80%
0.0141
Низкий