EUVD-2019-0624

Malware in sbrugna...

@peak-stone/vue-admin (>=1.0.1 <=2.1.1) potentially affected by CVE-2019-10745 via assign-deep (=1.0.0)

assign-deep NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on assign-deep and may be impacted: - @peak-stone/vue-admin =1.0.1, =2.1.1 Source cves: CVE-2019-10745 Source advisory: OSV:GHSA-66RH-8FW6-59Q6...

@careteam/mfe-init (=0.0.8), @topfeed/topfeed (>=0.0.30 <=0.0.44) +69 more potentially affected by CVE-2019-10745 via assign-deep (>=0.1.2 <=0.4.7)

assign-deep NPM version =0.1.2, =0.0.30, =0.0.1, =1.0.0, =0.0.1, =0.1.0, =1.0.0, =1.2.0, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =1.0.0, =2.3.0 and more Source cves: CVE-2019-10745 Source advisory: OSV:GHSA-66RH-8FW6-59Q6...

GHSA-66RH-8FW6-59Q6 assign-deep Vulnerable to Prototype Pollution

Versions of assign-deep prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...

@careteam/mfe-init (=0.0.8), @topfeed/topfeed (>=0.0.30 <=0.0.44) +69 more potentially affected by CVE-2019-10745 via assign-deep (>=0.1.2 <=0.4.7)

assign-deep NPM version =0.1.2, =0.0.30, =0.0.1, =1.0.0, =0.0.1, =0.1.0, =1.0.0, =1.2.0, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =1.0.0, =2.3.0 and more Source cves: CVE-2019-10745 Source advisory: SNYK:JS-ASSIGNDEEP-450211...

@peak-stone/vue-admin (>=1.0.1 <=2.1.1) potentially affected by CVE-2019-10745 via assign-deep (=1.0.0)

assign-deep NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on assign-deep and may be impacted: - @peak-stone/vue-admin =1.0.1, =2.1.1 Source cves: CVE-2019-10745 Source advisory: SNYK:JS-ASSIGNDEEP-450211...