CVE-2024-21489
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P
Summary
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | uplot | 0 < 1.6.31 | affected |
Weaknesses
- CWE-1321: Prototype Pollution
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224
- https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452
- https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.