2019-02-01 19:29:00 2019-10-10 01:36:12

A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Just-extend project Just-extend 3.0.0 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 2.1.0 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.27 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.26 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.25 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.24 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.23 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.22 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.21 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.20 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.19 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.18 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.17 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.16 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.15 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.10 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.9 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.8 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.7 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.5 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.1 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.1.0 ~~~node.js~~ (not an official CPE) Just-extend project Just-extend 1.0.0 ~~~node.js~~ (not an official CPE)
Advisory Patch Confirmed Link
https://hackerone.com/reports/430291

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (ID 74)

Related CAPEC 38 Buffer Overflow via Environment Variables (CAPEC-ID 10) Server Side Include (SSI) Injection (CAPEC-ID 101) Cross Site Scripting through Log Files (CAPEC-ID 106) Command Line Execution through SQL Injection (CAPEC-ID 108) Subverting Environment Variable Values (CAPEC-ID 13) Format String Injection (CAPEC-ID 135) Client-side Injection-induced Buffer Overflow (CAPEC-ID 14) Filter Failure through Buffer Overflow (CAPEC-ID 24) XML Injection (CAPEC-ID 250) Leverage Alternate Encoding (CAPEC-ID 267) HTTP Response Smuggling (CAPEC-ID 273) Fuzzing (CAPEC-ID 28) Using Leading 'Ghost' Character Sequences to Bypass Input Filters (CAPEC-ID 3) HTTP Response Splitting (CAPEC-ID 34) Manipulating Writeable Terminal Devices (CAPEC-ID 40) MIME Conversion (CAPEC-ID 42) Exploiting Multiple Input Interpretation Layers (CAPEC-ID 43) Buffer Overflow via Symbolic Links (CAPEC-ID 45) Overflow Variables and Tags (CAPEC-ID 46) Buffer Overflow via Parameter Expansion (CAPEC-ID 47) Poison Web Service Registry (CAPEC-ID 51) Embedding NULL Bytes (CAPEC-ID 52) Postfix, Null Terminate, and Backslash (CAPEC-ID 53) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) SQL Injection (CAPEC-ID 66) String Format Overflow in syslog() (CAPEC-ID 67) Blind SQL Injection (CAPEC-ID 7) Using Unicode Encoding to Bypass Validation Logic (CAPEC-ID 71) URL Encoding (CAPEC-ID 72) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79) Buffer Overflow in an API Call (CAPEC-ID 8) Using UTF-8 Encoding to Bypass Validation Logic (CAPEC-ID 80) XPath Injection (CAPEC-ID 83) XQuery Injection (CAPEC-ID 84) Buffer Overflow in Local Command-Line Utilities (CAPEC-ID 9) XSS in IMG Tags (CAPEC-ID 91)