Описание
Prototype Pollution in sheetJS
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/.
Пакеты
xlsx
Отсутствует
Связанные уязвимости
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
Уязвимость NPM-пакета SheetJS Community Edition, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»