Description

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Remediation

References

https://fluidattacks.com/advisories/myers/

https://github.com/Leonidas-from-XIV/node-xml2js/

https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html

Related Vulnerabilities

CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk14

CVE-2020-8127 Vulnerability in maven package org.webjars.bowergithub.hakimel:reveal.js

CVE-2022-31108 Vulnerability in maven package org.webjars.bower:mermaid

CVE-2021-21391 Vulnerability in npm package @ckeditor/ckeditor5-image

CVE-2021-20190 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Exploit Third Party Advisory Product