CVE-2023-0842 - xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This i

CVE-2023-0842

Summary

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

References

https://fluidattacks.com/advisories/myers/
https://github.com/Leonidas-from-XIV/node-xml2js/
https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html

Vulnerable Configurations

cpe:2.3:a:xml2js_project:xml2js:0.4.23:*:*:*:*:*:*:*
cpe:2.3:a:xml2js_project:xml2js:0.4.23:*:*:*:*:*:*:*

CVSS

Base:	None
Impact:
Exploitability:

CWE

CWE-1321

CAPEC

Access

Vector	Complexity	Authentication

Impact

Confidentiality	Integrity	Availability

Last major update

14-03-2024 - 21:15

Published

05-04-2023 - 20:15

Last modified

14-03-2024 - 21:15