CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 2CVE-2019-10746 – nodejs-mixin-deep: prototype pollution in function mixin-deep
https://notcve.org/view.php?id=CVE-2019-10746
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. mixin-deep es vulnerable a Prototype Pollution en versiones anteriores a 1.3.2 y 2.0.0. La función mixin-deep podría ser engañada para agregar o modificar propiedades de Object.prototype usando una carga útil del constructor. A flaw was found in Nodejs's mixin-deep prior to versions 1.3.2 and 2.0.0. The mixin-deep function could be used to add or modify properties of the Object.prototype. • https://github.com/ossf-cve-benchmark/CVE-2019-10746 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 https://www.oracle.com//security-alerts/cpujul2021.html https://access.redhat.com/security/cve/CVE-2019-10746 https://bugzilla.redhat.com/show_bug.cgi?id=1795475 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-471: Modification of Assumed-Immutable Data (MAID) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-3719
https://notcve.org/view.php?id=CVE-2018-3719
mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. El módulo de node mixin-deep en versiones anteriores a la 1.3.1 se ve afectada por una vulnerabilidad MAID (modificación de datos asumidos como asumible), lo que permite que un usuario malicioso modifique el prototipo de "Object" mediante __proto__, provocando la adición o modificación de una propiedad existente que va a existir en todos los objetos. • https://github.com/ossf-cve-benchmark/CVE-2018-3719 https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c https://hackerone.com/reports/311236 • CWE-20: Improper Input Validation CWE-471: Modification of Assumed-Immutable Data (MAID) •