Source
ghsa
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.
Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.
Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.
The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. ## Impact This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. ## Mitigation This vulnerability is patched in json v2.2.2 and...