Lucene search

K

Veracode Vulnerability DatabaseVERACODE:37525

HistoryOct 12, 2022 - 7:30 a.m.

Prototype Pollution

2022-10-1207:30:56

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

20

xmldom

vulnerability

prototype pollution

javascript

dom.js

validation

attacker

contamination

software

EPSS

0.003

Percentile

69.2%

xmldom is vulnerable to prototype pollution. The vulnerability exists because of lack of validations in copy function in dom.js which allows an attacker to inject malicious characteristics to add new values to a javascript application object prototype,overwriting or contaminating the base object.

References

users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf

dl.acm.org/doi/abs/10.1145/3488932.3497769

dl.acm.org/doi/pdf/10.1145/3488932.3497769

github.com/advisories/GHSA-9pgh-qqpf-7wqj

github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1

github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3

github.com/xmldom/xmldom/commit/1f20aee8ef1a8f3964add1a188f723bbc54862a0

github.com/xmldom/xmldom/commit/6956ec406fd4658dfb028a327c7a39238b24c3cd

github.com/xmldom/xmldom/commit/7c0d4b7fbf74079060a2f135a369adeeccaf4b18

github.com/xmldom/xmldom/issues/436

github.com/xmldom/xmldom/issues/436#issuecomment-1319412826

github.com/xmldom/xmldom/issues/436#issuecomment-1327776560

github.com/xmldom/xmldom/pull/437

github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj

lists.debian.org/debian-lts-announce/2022/10/msg00023.html

EPSS

0.003

Percentile

69.2%

Related for VERACODE:37525

prion1 osv4 ibm4 ubuntucve1 debian1 cbl_mariner1 cve1 nessus3 debiancve1 openvas2 cvelist1 nvd1 github1 ubuntu1