Main Vulnerability Database Vulnerabilities #VU98525

#VU98525 Prototype pollution in uPlot - CVE-2024-21489

Published: October 14, 2024

Vulnerability identifier: #VU98525

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-21489

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
uPlot

Software vendor:
Leon Sorokin

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation within the uplot.assign() function. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

Remediation

Install update from vendor's website.

External links

https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224
https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452
https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983

#VU98525 Prototype pollution in uPlot - CVE-2024-21489

Description

Remediation

External links

Please verify you're human