3 matches found
CVE-2020-28276
Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution...
@dataparty/bouncer-model (>=1.0.1 <=1.4.0), @dataparty/dpc (>=0.1.0 <=0.4.14) +8 more potentially affected by CVE-2020-28276 via deep-set (=1.0.1)
deep-set NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on deep-set and may be impacted: - @dataparty/bouncer-model =1.0.1, =0.1.0, =0.1.1, =1.0.1, =0.1.0, =0.0.1, =2.2.0 - stalwart =0.1.0 Source cves: CVE-2020-28276 Source advisory:...
CVE-2020-28276
CVE-2020-28276 concerns the npm package deep-set , with vulnerable versions 1.0.0–1.0.1. The root cause is a prototype pollution flaw where the function deepSet() may assign to proto without validating object types, enabling an attacker to manipulate properties and potentially cause Denial of Ser...