CVE-2022-37616

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
Configurations

Configuration 1

cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Information

Published : 2022-10-11 05:15

Updated : 2023-02-10 04:17


NVD link : CVE-2022-37616

Mitre link : CVE-2022-37616

Products Affected
No products.
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')