Kevgeoleo

**Nome do Software Vulnerável e Versões Afetadas** Versões do Swiper de 6.5.1 a 12.1.1 **Descrição** O Swiper é um slider de toque gratuito e móvel com transições aceleradas por hardware e comportamento nativo. Existe um problema de poluição de protótipo no arquivo `shared/utils.mjs`, especificamente na linha 94, onde a função `indexOf()` é usada para validar entrada fornecida pelo usuário. Apesar de uma tentativa anterior de resolver a poluição de protótipo ao verificar chaves proibidas, ainda é possível poluir o `Object.prototype` usando uma entrada elaborada que aproveita o `Array.prototype`. Este problema afeta sistemas Windows e Linux, bem como os runtimes Node e Bun. Aplicativos que processam entradas controladas por atacantes com este pacote podem ser suscetíveis a Bypass de Autenticação, Negação de Serviço e Execução Remota de Código (RCE). **Recomendações** Atualize para a versão 12.1.2 para resolver este problema.

**Name of the Vulnerable Software and Affected Versions** set-in versions 2.0.1 through 2.0.4 **Description** set-in is a Node.js package that sets values within nested associative structures given an array of keys. A flaw exists where, despite a previous attempt to prevent prototype pollution by checking for forbidden keys, it remains possible to pollute `Object.prototype` using a crafted input leveraging `Array.prototype`. The issue resides in the `includes()` function used to validate user input. A proof-of-concept demonstrates bypassing the intended protection by redefining `Array.prototype.includes` to always return false, allowing the injection of a property named `polluted` into `Object.prototype`. This could potentially lead to authentication bypass, denial of service, or remote code execution if the polluted property is passed to vulnerable sinks. **Recommendations** set-in versions 2.0.1 through 2.0.4 should be updated to version 2.0.5.

**Name of the Vulnerable Software and Affected Versions** Locutus versions 2.0.12 through 2.0.38 **Description** Locutus, designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a prototype pollution issue. A previous attempt to address prototype pollution by checking for forbidden keys in user input was insufficient. It remains possible to pollute `Object.prototype` through a crafted input utilizing `String.prototype`. This allows for malicious property injection, potentially leading to further compromise. **Recommendations** Upgrade to version 2.0.39.

**Name of the Vulnerable Software and Affected Versions** deephas version 1.0.7 deephas versions prior to 1.0.8 **Description** A prototype pollution issue exists in the deephas npm package. This allows an attacker to modify global object behavior by injecting properties into Object.prototype. The issue resides in the `add()` function and `indexer()` function within `deepHas.js`. The vulnerability can be bypassed by manipulating `Object.prototype.hasOwnProperty` or `String.prototype.indexOf`. Exploitation can lead to authentication bypass, denial of service, and potentially remote code execution if polluted properties are passed to vulnerable sinks. **Recommendations** deephas versions prior to 1.0.8 should be updated to version 1.0.8 or later.