Описание
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | not-affected | 0.8.6-1 |
| esm-apps/focal | released | 0.1.27+ds-1+deb10u2build0.20.04.1 |
| esm-apps/jammy | released | 0.7.5-1ubuntu0.22.04.1 |
| focal | released | 0.1.27+ds-1+deb10u2build0.20.04.1 |
| jammy | released | 0.7.5-1ubuntu0.22.04.1 |
| kinetic | released | 0.7.5-1ubuntu0.22.10.1 |
| lunar | not-affected | 0.8.6-1 |
| trusty | ignored | end of standard support |
| upstream | released | 0.8.3 |
Показывать по
Ссылки на источники
9.8 Critical
CVSS3
Связанные уязвимости
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
A prototype pollution vulnerability exists in the function copy in dom ...
Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom
9.8 Critical
CVSS3