Yuhan Gao

**Nome do Software Vulnerável e Versões Afetadas** Versões do algoliasearch-helper de 2.0.0-rc1 até 3.11.2 **Descrição** O pacote contém uma vulnerabilidade de Prototype Pollution na função ` merge()` dentro do arquivo `merge.js`. Isso permite a modificação do `constructor.prototype`, podendo levar à execução de código caso erros sejam capturados e parâmetros de pesquisa fornecidos pelo usuário sejam injetados. Este é um problema distinto de outro problema relatado. A vulnerabilidade não é explorável na configuração padrão do InstantSearch, pois os parâmetros de pesquisa não são modificáveis pelo usuário. **Recomendações** Atualize para uma versão posterior à 3.11.2.

**Name of the Vulnerable Software and Affected Versions** underscore-keypath versions 0.0.11 and later **Description** The issue arises from improper input sanitization in the `setProperty()` function, allowing the usage of arguments like ` proto ` and leading to Prototype Pollution. This can be exploited due to the lack of proper input validation. **Recommendations** For versions 0.0.11 and later, consider disabling the `setProperty()` function until a patch is available to prevent exploitation. Restrict the use of the `name` argument in the `setProperty()` function to minimize the risk of Prototype Pollution. Avoid using arguments like ` proto ` in the `setProperty()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** flatnest versions all **Description** The issue concerns Prototype Pollution via the `nest()` function in the `flatnest/nest.js` file. This affects all versions of the package flatnest. **Recommendations** For all versions, consider disabling the `nest()` function as a temporary workaround until a patch is available. Restrict access to the `flatnest/nest.js` file to minimize the risk of exploitation. Avoid using the `nest()` function in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** progressbar.js versions prior to 1.1.1 **Description** The issue concerns Prototype Pollution via the `extend()` function in the `utils.js` file. This affects the progressbar.js package. **Recommendations** For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the `extend()` function in the `utils.js` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dottie versions prior to 2.0.4 **Description** The issue is related to Prototype Pollution due to insufficient checks. It can be exploited via the `set()` function and the `current` variable in the `/dottie.js` file. **Recommendations** For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the `set()` function until a patch is available. Restrict access to the `/dottie.js` file to minimize the risk of exploitation. Avoid using the `current` variable in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** collection.js versions prior to 6.8.1 **Description** The issue concerns Prototype Pollution via the `extend` function in `Collection.js/dist/node/iterators/extend.js`. This affects versions of the package collection.js before 6.8.1. **Recommendations** For versions prior to 6.8.1, update to version 6.8.1 or later to resolve the issue. As a temporary workaround, consider disabling the `extend` function in `Collection.js/dist/node/iterators/extend.js` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dot-lens versions all **Description** The issue concerns Prototype Pollution via the `set()` function in the `index.js` file. This affects all versions of the dot-lens package. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For all versions, consider disabling the `set()` function in the `index.js` file as a temporary workaround until a patch is available. Restrict access to the `index.js` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** utilities (affected versions not specified) **Description** The issue concerns Prototype Pollution via the ` mix` function. This affects all versions of the package utilities. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rangy versions all **Description** The issue concerns Prototype Pollution in the rangy package. It occurs when using the `extend()` function in the file `rangy-core.js`, which utilizes a recursive merge. This can allow an attacker to modify properties of the `Object.prototype`. **Recommendations** For all versions, consider disabling the `extend()` function in `rangy-core.js` as a temporary workaround until a patch is available. Restrict access to the `rangy-core.js` file to minimize the risk of exploitation. Avoid using the `extend()` function in the affected file until the issue is resolved.

**Nome do software vulnerável e versões afetadas** todas as versões do safe-eval **Descrição** A vulnerabilidade permite que um invasor adicione ou modifique propriedades do Object.prototype por meio de contaminação de protótipo ao usar a função safeEval. Isso ocorre devido ao uso da variável vm pela função, permitindo que um invasor modifique propriedades do Object.prototype. **Recomendações** Para todas as versões, considere desativar o uso da função safeEval até que um patch esteja disponível para impedir a exploração. Restrinja o acesso à variável vm para minimizar o risco de modificação das propriedades de Object.prototype.

**Nome do software vulnerável e versões afetadas** jsgui-lang-essentials (versões afetadas não especificadas) **Descrição** A vulnerabilidade permite a alteração de todos os atributos do objeto, incluindo atributos mágicos como `proto`, `constructor` e `prototype`, levando à poluição de protótipos. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.