Main Vulnerability Database Vulnerabilities #VU82314

#VU82314 Prototype pollution in zrender - CVE-2021-39227

Published: October 24, 2023

Vulnerability identifier: #VU82314

Vulnerability risk: Critical

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

CVE-ID: CVE-2021-39227

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
zrender

Software vendor:
Baidu EFE team

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

External links

https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf
https://github.com/ecomfe/zrender/pull/826
https://github.com/ecomfe/zrender/releases/tag/5.2.1