Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-23413

Good to know:

icon
icon

Date: July 25, 2021

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

Language: JS

Severity Score

Related Resources (6)

https://github.com/Stuk/jszip/pull/766
https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88
https://nvd.nist.gov/vuln/detail/CVE-2021-23413
https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36
https://github.com/Stuk/jszip
https://www.mend.io/vulnerability-database/CVE-2021-23413

Severity Score

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

icon

Upgrade Version

Upgrade to version phamanhtu/translate - no_fix;adamstyperek/base.symfony.crud - no_fix;Mustache.Reports.Data - no_fix;Mustache.Reports.Data - 1.2.2;Mustache.Reports.Data - 1.2.6;Mustache.Reports.Data - 1.2.9;livecms/core - dev-master;tyondo/aggregator - v1.0.2;patryk-sawicki/admin-gentelella - no_fix;baijunyao/laravel-bjyadmin - v1.0.0;baijunyao/laravel-bjyadmin - no_fix;baijunyao/laravel-bjyadmin - 5.1.x-dev;douggonsouza/amazonita - no_fix;thangbeo/languages - no_fix;GR.PageRender.Razor - 1.8.0;douggonsouza/gentelela - 1.0.0;douggonsouza/gentelela - no_fix;insiteapps/common - 1.0.3;insiteapps/common - 1.1.5;insiteapps/common - no_fix;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/y18n-3.2.2;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/browserslist-4.17.0;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/ini-1.3.8;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/path-parse-1.0.7;decoweb/panelpack - 2.0.2;decoweb/panelpack - 1.1.8;decoweb/panelpack - 1.0.0;decoweb/panelpack - no_fix;lamarques/framework - no_fix;lamarques/framework - dev-issue#1;lamarques/framework - v0.1-dev;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.17;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;chrisbraybrooke/laravel-ecommerce - 0.0.56;eftec/gentelella-bladeone - no_fix;mazguhin/smans - v0.1.0;douggonsouza/discovery - v1.0.0;douggonsouza/discovery - no_fix;jszip - 2.7.0;jszip - 3.7.0;olsf/core - 1.0.29;olsf/core - 1.0.24;olsf/core - no_fix;olsf/core - 1.0.32;olsf/core - 1.0.38;olsf/core - 1.1.0;olsf/core - 1.0.47;thangbeo/menu - no_fix;vinsofts/translates - no_fix;lishuang/qiubb - no_fix;douggonsouza/imwvg - no_fix;baijunyao/laravel-bjyblog - v5.5.9.1;baijunyao/laravel-bjyblog - dev-dependabot/composer/composer/composer-1.10.22;baijunyao/laravel-bjyblog - dev-dependabot/npm_and_yarn/minimist-1.2.6;baijunyao/laravel-bjyblog - v5.5.6.1;baijunyao/laravel-bjyblog - dev-dependabot/npm_and_yarn/dns-packet-1.3.4;marabesi/easy-crud - no_fix;pframe/phalcon-clear - no_fix;ourgapps/gentelella - no_fix;jjsoft-ar/siges-ui - 1.0.0;jjsoft-ar/siges-ui - no_fix;codtail/admin-suit - no_fix;krzysiekpiasecki/gentelella - no_fix;websix/templater - 0.0.1;websix/templater - no_fix;emolinablas/laravel-vue-crud - 1.0.1;bernacamargo/template_codeigniter-3.1.10 - no_fix;gaomingcode/jszip - no_fix;ikodota/laravel-discover - v1.0.1;ikodota/laravel-discover - no_fix;nicolaecasir/agenti - no_fix;pwptemplatepusintek - no_fix;datht/language - no_fix;howmas/core-ms-bundle - no_fix;diamondphp/diamondphp - no_fix;rndwiga/ui-gentella - no_fix;atha/ci-rest-server - no_fix;starfruit/builder-bundle - no_fix;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;websix/xlsx-compiler - 1.0.0;websix/xlsx-compiler - no_fix;claudiusnascimento/gentelelladashboard - no_fix;lite-code/admingentelella - no_fix;stuk/jszip - v1.0.0;org.webjars.bower:gentelella:no_fix;org.webjars.npm:gentelella:no_fix;org.webjars.npm:jszip:3.7.1;org.webjars.npm:github-com-Stuk-jszip:no_fix

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us