CVE-2023-0842

Published Apr 5, 2023

Last updated 8 months ago

Overview

Description: xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
Source: help@fluidattacks.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-1321

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:xml2js_project:xml2js:0.4.23:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "70BD0806-8B12-4AE6-B83D-95A30A40E3C1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References