Asgerf

**Name of the Vulnerable Software and Affected Versions** Countly versions prior to 21.11 **Description** The issue allows for cross-site scripting. To exploit this, the victim must follow a malicious link or be redirected from a malicious website. The attacker needs to have an account or be able to create one. **Recommendations** For versions prior to 21.11, update to version 21.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Erxes versions 0.22.3 and prior **Description** Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting. This results in client-side code execution. The victim must follow a malicious link or be redirected there from a malicious web site. **Recommendations** For versions 0.22.3 and prior, there is no information about a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to potentially malicious links to minimize the risk of exploitation. Avoid using the system until a patch is available.

**Name of the Vulnerable Software and Affected Versions** node.extend versions prior to 1.1.7 node.extend versions prior to 2.0.1 **Description** A prototype pollution issue was discovered in node.extend that allows an attacker to inject arbitrary properties onto Object.prototype. **Recommendations** Update to version 1.1.7 or later. Update to version 2.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** just-extend versions prior to 4.0.0 **Description** A prototype pollution issue allows an attack to inject properties onto Object.prototype through its functions, potentially adding or modifying properties of the Object prototype. These properties will be present on all objects. **Recommendations** Update to version 4.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** defaults-deep versions prior to a fixed version (no fixed version specified) defaults-deep (all versions) **Description** A prototype pollution issue allows a malicious user to inject properties onto Object.prototype, given certain input. This can add or modify properties of the Object prototype, which will be present on all objects. **Recommendations** For defaults-deep versions prior to a fixed version, consider selecting another module that can provide this functionality as no patch is currently available for this vulnerability. For all versions of defaults-deep, consider selecting another module that can provide this functionality as no patch is currently available for this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** merge versions prior to 1.2.1 **Description** The issue allows the `merge.recursive` function in the merge package to be tricked into adding or modifying properties of the Object prototype. This can lead to a denial of service attack, as these properties will be present on all objects. **Recommendations** Update to version 1.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** extend versions prior to 2.0.2 extend versions prior to 3.0.2 **Description** A prototype pollution issue allows an attacker to inject arbitrary properties onto Object.prototype. This can be exploited by a remote attacker to add or modify properties of the object prototype, potentially affecting all objects. The extend module's extend() function is vulnerable, enabling attackers to modify the Object prototype. **Recommendations** For extend version 2.x, upgrade to 2.0.2 or later. For extend version 3.x, upgrade to 3.0.2 or later.