@vidispine/vdt-materialui (>=0.12.0 <=26.2.0-pre.1) potentially affected by CVE-2020-8203 via lodash.updatewith (=4.10.2)

lodash.updatewith NPM version =4.10.2 is affected by a known vulnerability. The following packages have a transitive dependency on lodash.updatewith and may be impacted: - @vidispine/vdt-materialui =0.12.0, =26.2.0-pre.1 Source cves: CVE-2020-8203 Source advisory: OSV:GHSA-P6MC-M468-83GW...

Prototype Pollution in lodash

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires...

PT-2020-5991 · Lodash +1 · Lodash +1

Name of the Vulnerable Software and Affected Versions: Lodash versions prior to 4.17.20 Lodash versions prior to 4.17.19 Description: The issue is related to a prototype pollution attack when using the .zipObjectDeep function in Lodash. This can lead to denial of service or code execution under...