2 matches found
@trovo/components (>=5.0.2 <=5.3.0), @trovo/motion (>=5.0.2 <=6.0.0) +9 more potentially affected by CVE-2020-28277 via dset (=1.0.1)
dset NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on dset and may be impacted: - @trovo/components =5.0.2, =5.0.2, =5.0.0, =1.0.15, =1.1.4, =1.0.0, =2.2.0, =1.0.0, =0.0.1, =0.0.2, =0.0.11 Source cves: CVE-2020-28277 Source advisory:...
CVE-2020-28277
Prototype pollution in the npm module dset (versions 1.0.0–2.0.1) allows an attacker to pollute Object.prototype, enabling DoS and potentially remote code execution. Affected function is the export logic handling obj, keys, val without proper validation. Documented exploitation points include man...