Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9pgh-qqpf-7wqj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.

Patches

Update to @xmldom/[email protected] or higher or to @xmldom/[email protected] or higher if you are on the dist-tag next.

Workarounds

No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.

References

https://github.com/xmldom/xmldom/pull/437

For more information

If you have any questions or comments about this advisory:

  • Email us at [email protected]
  • Add information to https://github.com/xmldom/xmldom/issue/436
ghsa
#vulnerability#nodejs#js#git#perl

Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) in @xmldom/xmldom and xmldom

Moderate severity GitHub Reviewed Published Oct 11, 2022 in xmldom/xmldom

Package

npm @xmldom/xmldom (npm)

Affected versions

< 0.8.3

= 0.9.0-beta.1

Patched versions

0.8.3

0.9.0-beta.2

npm xmldom (npm)

<= 0.6.0

None

Description

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.

Patches

Update to @xmldom/[email protected] or higher or to @xmldom/[email protected] or higher if you are on the dist-tag next.

Workarounds

No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.

References

xmldom/xmldom#437

For more information

If you have any questions or comments about this advisory:

  • Email us at [email protected]
  • Add information to https://github.com/xmldom/xmldom/issue/436

References

  • GHSA-9pgh-qqpf-7wqj
  • https://nvd.nist.gov/vuln/detail/CVE-2022-37616
  • xmldom/xmldom#436
  • xmldom/xmldom#437
  • https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
  • https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3

karfau published the maintainer security advisory

Oct 11, 2022

Severity

Moderate

6.4

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

Weaknesses

CWE-1321

CVE ID

CVE-2022-37616

GHSA ID

GHSA-9pgh-qqpf-7wqj

Source code

xmldom/xmldom

Credits

  • Supraja9726

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

Ubuntu Security Notice USN-6102-1

Ubuntu Security Notice 6102-1 - It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause unexpected syntactic changes during XML processing. This issue only affected Ubuntu 20.04 LTS. It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

CVE-2022-37616: xmldom/dom.js at bc36efddf9948aba15618f85dc1addfc2ac9d7b2 · xmldom/xmldom

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable.