#VU83421 Prototype pollution in flat - CVE-2020-36632
Vulnerability identifier: #VU83421
Vulnerability risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID:
CWE-ID:
CWE-1321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
flat
Other software /
Other software solutions
Vendor: hughsk (Hugh Kennedy)
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists in the function unflatten of the file index.js. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versions
flat: 1.0.0 - 5.0.1
External links
https://github.com/hughsk/flat/pull/106
https://vuldb.com/?ctiid.216777
https://vuldb.com/?id.216777
https://github.com/hughsk/flat/issues/105
https://github.com/hughsk/flat/releases/tag/5.0.1
https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
