Main Vulnerability Database Vulnerabilities #VU19305

#VU19305 Prototype pollution in Lodash - CVE-2018-16487

Published: July 22, 2019

Vulnerability identifier: #VU19305

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-16487

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Lodash

Software vendor:
Lodash

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the merge, mergeWith, and defaultsDeep functions. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype.

Successful exploitation of this vulnerability may result in complete compromise of the affected application.

Remediation

Install updates from vendor's website.

External links

https://hackerone.com/reports/380873

#VU19305 Prototype pollution in Lodash - CVE-2018-16487

Description

Remediation

External links

Please verify you're human