Prototype pollution in xmldom - CVE-2022-37616
Published: June 16, 2023
Vulnerability identifier: #VU77487
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-37616
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: xmldom
Affected software:
xmldom
xmldom
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists in the function copy in dom.js in the xmldom package for Node.js via the p variable. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
How to mitigate CVE-2022-37616
Install update from vendor's website.
Sources
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
- https://github.com/xmldom/xmldom/issues/436
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
- https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
- https://lists.debian.org/debian-lts-announce/2022/10/msg00023.html
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560