#VU67178 Prototype pollution in DataTables - CVE-2020-28458
Published: September 12, 2022 / Updated: October 22, 2024
Vulnerability identifier: #VU67178
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2020-28458
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
DataTables
DataTables
Software vendor:
DataTables
DataTables
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Remediation
Install update from vendor's website.
External links
- https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961
- https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806