CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12572] Prototype Pollution

avatar
Created By: pranshu (pranshu)
Date Submitted: Fri Nov 04 07:08:22 -0400 2022

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.2.16
CMSMS Version: 2.2.16
Severity: Major
Resolution: None
State: Open
Summary:
Prototype Pollution
Detailed Description:
Prototype pollution is a vulnerability where an attacker is able to modify
Object.prototype. Because nearly all objects in JavaScript are instances of
Object, a typical object inherits properties (including methods) from
Object.prototype. Changing Object.prototype can result in a wide range of
issues, sometimes even resulting in remote code execution.

The most common way to cause prototype pollution is to use an unsafe merge or
extend function to recursively copy properties from an untrusted source object.

Note: I have found this vulnerability in the latest version of product.

Refer: https://www.acunetix.com/vulnerabilities/web/prototype-pollution/


History

Comments
avatar 
Date: 2022-11-04 08:45
Posted By: Fernando Morgado (JoMorg)

We appreciate your time to report this issues although we recommend to use the
specific channels we use for vulnerability reports:
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability
Please be as thorough as possible in that report as that is not a public channel
of communication.
Thank you
Updates

Updated: 2022-11-04 07:08
description: Prototype pollution is a vulnerability where an attacker is able to modify Object.prototype. Because nearly all objects in JavaScript are instances of Object, a typical object inherits properties (including methods) from Object.prototype. Changing Object. => Prototype pollution is a vulnerability where an attacker is able to modify Object.prototype. Because nearly all objects in JavaScript are instances of Object, a typical object inherits properties (including methods) from Object.prototype. Changing Object.
resolution_id: => 5