Bigpipe predefine security breach

Bigpipe Predefine is a code library for managing Object.defineProperties objects in the Javascript language by the Bigpipe individual developers. A security vulnerability exists in predefine versions 0.0.0 through 0.1.2 that can be exploited by an attacker to cause a denial of service and...

Prototype Pollution

Overview deeps is a Highly performant utilities to manage deeply nested objects. get, set, merge, flatten, diff etc. Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const deeps = require'deeps'; deeps.set, 'proto.polluted', true;...

Google Chrome Extensions Subsystem Homology Policy Bypass Vulnerability

Google Chrome is a popular web browser. Google Chrome's Extensions subsystem fails to restrict the use of the Object.defineProperty method to rewrite build-in extension code, which can be exploited by remote attackers to bypass the same-origin policy using specially crafted JavaScript code...

chromium-browser: same-origin bypass in Extensions

The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code...

CVE-2016-1622

The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code...

Mozilla: top object and location property accessible by plugins (MFSA 2012-82)

Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to conduct cross-site scripting XSS attacks via a binary plugin that uses Object.defineProperty to shadow the top object, and...

Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)

Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object aka window.location, which makes it easier for remote attackers to conduct cross-site scripting XSS attacks via vectors involving a...

Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)

Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object aka window.location, which makes it easier for remote attackers to conduct cross-site scripting XSS attacks via vectors involving a...