6 matches found
Arbitrary Code Injection
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting...
Code Injection
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious...
Prototype Pollution
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Prototype Pollution. The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. PoC js...
Prototype Pollution
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. PoC by Snyk const mergeFn =...
Prototype Pollution
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to...
Prototype Pollution
Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or...