Vulnerabilities > CVE-2022-37616

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

xmldom-project

debian

critical

NVD

Published: 2022-10-11

Updated: 2023-02-10

Summary

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

Vulnerable Configurations

Part	Description	Count
Application	Xmldom_Project Xmldom Project Xmldom 0.9.0 Xmldom Project Xmldom 0.8.0 Xmldom Project Xmldom 0.8.1 Xmldom Project Xmldom 0.8.2 Xmldom Project Xmldom 0.7.0 Xmldom Project Xmldom 0.7.1 Xmldom Project Xmldom 0.7.2 Xmldom Project Xmldom 0.7.3 Xmldom Project Xmldom 0.7.4 Xmldom Project Xmldom 0.7.5 Xmldom Project Xmldom 0.1.10	12
OS	Debian Debian Debian Linux 10.0	1

Vulnerabilities > CVE-2022-37616 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2022-37616"}]}

Summary

Vulnerable Configurations

References

Vulnerabilities > CVE-2022-37616