xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
References
Link | Resource |
---|---|
https://fluidattacks.com/advisories/myers/ | Exploit Third Party Advisory |
https://github.com/Leonidas-from-XIV/node-xml2js/ | Product |
https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Fluid Attacks
Published: 2023-04-05T00:00:00
Updated: 2024-03-14T21:06:01.826215
Reserved: 2023-02-15T00:00:00
Link: CVE-2023-0842
JSON object: View
NVD Information
Status : Modified
Published: 2023-04-05T20:15:07.493
Modified: 2024-03-14T21:15:50.517
Link: CVE-2023-0842
JSON object: View
Redhat Information
No data.
CWE