#VU100116 Prototype pollution in dset - CVE-2024-21529

Cybersecurity Help s.r.o.

Published: 2024-11-08

Vulnerability identifier: #VU100116

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-21529

CWE-ID: CWE-1321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
dset
Web applications / Other software

Vendor: lukeed

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

Mitigation
Install update from vendor's website.

Vulnerable software versions

dset: 1.0.0 - 3.1.3

External links
https://security.snyk.io/vuln/SNYK-JS-DSET-7116691
https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Observability with Instana

Multiple vulnerabilities in QRadar Suite Software

Prototype pollution in dset