Prototype pollution in xmldom - CVE-2022-37616
Published: June 16, 2023
Vulnerability identifier: #VU77487
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-37616
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
xmldom
xmldom
Software vendor:
xmldom
xmldom
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists in the function copy in dom.js in the xmldom package for Node.js via the p variable. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Remediation
Install update from vendor's website.
External links
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
- https://github.com/xmldom/xmldom/issues/436
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
- https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
- https://lists.debian.org/debian-lts-announce/2022/10/msg00023.html
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560