Headline
CVE-2023-45282: Protect against prototype pollution in import action by davetsay · Pull Request #7094 · nasa/openmct
In NASA Open MCT (aka openmct) 2.2.5 before 545a177, prototype pollution can occur via an import action.
Expand Up
@@ -20,6 +20,8 @@
* at runtime from the About dialog for additional information.
*****************************************************************************/
import { filter__proto__ } from '…/…/utils/sanitization’;
export default class LocalStorageObjectProvider {
constructor(spaceKey = ‘mct’) {
this.localStorage = window.localStorage;
Expand Down Expand Up
@@ -83,7 +85,7 @@ export default class LocalStorageObjectProvider {
* @private
*/
getSpaceAsObject() {
return JSON.parse(this.getSpace());
return JSON.parse(this.getSpace(), filter__proto__);
}
/**
Expand Down
Related news
An issue in Yamcs 5.8.6 allows attackers to obtain the session cookie via upload of crafted HTML file.
In NASA Open MCT (aka openmct) before commit 545a177 is subject to a prototype pollution which can occur via an import action.