CVE-2021-23682 – litespeed.js

Package

Manager: npm
Name: litespeed.js
Vulnerable Version: >=0 <0.3.12

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.05384 pctl0.8974

Details

Prototype Pollution in litespeed.js and appwrite/server-ce This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.

Metadata

Created: 2022-02-17T00:00:32Z
Modified: 2022-02-25T15:40:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v9p9-535w-4285/GHSA-v9p9-535w-4285.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-v9p9-535w-4285
Finding: F390
Auto approve: 1