Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
CPE | Name | Operator | Version |
---|---|---|---|
debian_linux | eq | 10.0 | |
loader-utils | lt | 1.4.1 | |
loader-utils | ge | 2.0.0 | |
loader-utils | lt | 2.0.3 |
users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
dl.acm.org/doi/abs/10.1145/3488932.3497769
dl.acm.org/doi/pdf/10.1145/3488932.3497769
github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js
github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js
github.com/webpack/loader-utils/issues/212
github.com/webpack/loader-utils/issues/212
github.com/xmldom/xmldom/issues/436
lists.debian.org/debian-lts-announce/2022/12/msg00044.html