#VU47225 Prototype pollution


Published: 2020-09-30 | Updated: 2020-12-22

Vulnerability identifier: #VU47225

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7720

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
node-forge
Web applications / Modules and components for CMS

Vendor: Synex Technologies

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the util.setPath function. A remote attacker can inject and execute arbitrary script code.


Mitigation
Update to version 0.10.0.

Vulnerable software versions

node-forge: 0.1.2 - 0.9.2


CPE

External links
http://www.npmjs.com/advisories/1561


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability