390 – Prototype Pollution
Description
An application object, method or module can be overwritten with malicious logic due to the lack of validations and the nature of the JavaScript language.
Impact
- Overwrite or pollute the behavior of existing methods in the application. - Lead to dangerous vulnerabilities such as XSS, SQLi, RCE, among others.
Recommendation
- Implement integrity validations on the vulnerable objects. - Restrict and Discourage the use harmful properties such as _proto_ in the system objects.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P