A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

🗓️ 30 Jun 2024 14:00:00Reported by MicrosoftType

Prototype pollution in xmldom copy function in dom.js before 0.8.3 for Node.js via the p variable.

Reporter	Title	Published	Views	Family All 32
IBM Security Bulletins	Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to xmldom vulnerability [CVE-2022-37616]	3 Jan 202309:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands that process XML may be vulnerable to arbitrary code execution due to [CVE-2022-37616]	1 Dec 202216:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	19 Jan 202313:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs	15 Dec 202203:09	–	ibm
ATTACKERKB	CVE-2022-37616	11 Oct 202205:15	–	attackerkb
CBLMariner	CVE-2022-37616 affecting package python-tensorboard for versions less than 2.16.2-1	17 May 202421:38	–	cbl_mariner
CNNVD	XMLDOM 安全漏洞	11 Oct 202200:00	–	cnnvd
CVE	CVE-2022-37616	11 Oct 202200:00	–	cve
Cvelist	CVE-2022-37616	11 Oct 202200:00	–	cvelist
Debian	[SECURITY] [DLA 3154-1] node-xmldom security update	18 Oct 202215:06	–	debian