Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-3752 Vulnerability in npm package merge-options

Description

The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Remediation

References

https://hackerone.com/reports/311336

Related Vulnerabilities

CVE-2019-5786 Vulnerability in npm package electron

CVE-2020-7679 Vulnerability in maven package org.webjars.bower:casperjs

CVE-2021-33041 Vulnerability in npm package vmd

CVE-2022-3783 Vulnerability in npm package node-red-dashboard

CVE-2021-21290 Vulnerability in maven package io.netty:netty-transport-native-epoll

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory