CVSS: 7.7EPSS: 0%CPEs: 24EXPL: 2CVE-2020-5258 – Prototype pollution in dojo
https://notcve.org/view.php?id=CVE-2020-5258
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 En las versiones afectadas de dojo (paquete NPM), el método deepCopy es vulnerable a una Contaminación de Prototipo. La Contaminación de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. • https://github.com/ossf-cve-benchmark/CVE-2020-5258 https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.o • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.6EPSS: 0%CPEs: 6EXPL: 1CVE-2020-5259 – Prototype Pollution in Dojox
https://notcve.org/view.php?id=CVE-2020-5259
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 En las versiones afectadas de dojox (paquete NPM), el método jqMix es vulnerable a una Contaminación de Prototipo. La Contaminación de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. • https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16302
https://notcve.org/view.php?id=CVE-2019-16302
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the Ethernet VPN application (org.onosproject.evpnopenflow), the host event listener does not handle the following event types: HOST_MOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution. Se detectó un problema en Open Network Operating System (ONOS) versión 1.14. En la aplicación VPN Ethernet (org.onosproject.evpnopenflow), el listener de eventos del host no maneja los siguientes tipos de eventos: HOST_MOVED, HOST_UPDATED. • https://www.ndss-symposium.org/wp-content/uploads/2020/02/24080.pdf • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16301
https://notcve.org/view.php?id=CVE-2019-16301
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual tenant network application (org.onosproject.vtn), the host event listener does not handle the following event types: HOST_MOVED. In combination with other applications, this could lead to the absence of intended code execution. Se detectó un problema en Open Network Operating System (ONOS) versión 1.14. En la aplicación virtual tenant network (org.onosproject.vtn), el listener de eventos del host no maneja los siguientes tipos de eventos: HOST_MOVED. • https://www.ndss-symposium.org/wp-content/uploads/2020/02/24080.pdf • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16300
https://notcve.org/view.php?id=CVE-2019-16300
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the access control application (org.onosproject.acl), the host event listener does not handle the following event types: HOST_REMOVED. In combination with other applications, this could lead to the absence of intended code execution. Se detectó un problema en Open Network Operating System (ONOS) versión 1.14. En la aplicación access control (org.onosproject.acl), el listener de eventos del host no maneja los siguientes tipos de eventos: HOST_REMOVED. • https://www.ndss-symposium.org/wp-content/uploads/2020/02/24080.pdf • CWE-755: Improper Handling of Exceptional Conditions •