===================================================================== CERT-Renater Note d'Information No. 2022/VULN368 _____________________________________________________________________ DATE : 11/10/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running @xmldom/xmldom (npm) versions prior to 0.8.3, 0.9.0-beta.2. ===================================================================== https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj _____________________________________________________________________ Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom Moderate karfau published GHSA-9pgh-qqpf-7wqj Package Affected versions Patched versions @xmldom/xmldom (npm) <0.8.3, 0.9.0-beta.1 ~0.8.3, >=0.9.0-beta.2 xmldom (npm) * not possible Description Impact A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3. Patches Update to @xmldom/xmldom@0.8.3 or higher or to @xmldom/xmldom@0.9.0-beta.2 or higher if you are on the dist-tag next. Workarounds No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required. References #437 For more information If you have any questions or comments about this advisory: Email us at security@xmldom.org Add information to https://github.com/xmldom/xmldom/issue/436 Severity Moderate 6.4/ 10 CVSS base metrics Attack vector Local Attack complexity High Privileges required Low User interaction None Scope Changed Confidentiality None Integrity High Availability Low CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L CVE ID CVE-2022-37616 Weaknesses CWE-1321 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================