Tariq Hawis

**Name of the Vulnerable Software and Affected Versions** In Progress Telerik Kendo UI for Vue versions v2.4.0 through v6.0.1 **Description** The issue allows an attacker to introduce or modify properties within the global prototype chain, which can result in denial of service or command injection. **Recommendations** For versions v2.4.0 through v6.0.1, update to a version outside of this range to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to sensitive properties within the global prototype chain until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0 **Description** An attacker can introduce or modify properties within the global prototype chain, which can result in denial of service or command injection. **Recommendations** For versions v3.5.0 through v9.4.0, consider restricting access to sensitive properties within the global prototype chain until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uplot versions prior to 1.6.31 **Description** The issue is related to Prototype Pollution via the `uplot.assign` function due to a missing check if the attribute resolves to the object prototype. This allows for potential manipulation of the object's prototype, leading to security issues. **Recommendations** For versions prior to 1.6.31, update to version 1.6.31 or later to resolve the issue. As a temporary workaround, consider disabling the `uplot.assign` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dset versions prior to 3.1.4 **Description** The issue arises from improper user input sanitization in the dset function, allowing an attacker to inject malicious object properties using the built-in Object property ` proto `. This vulnerability enables the recursive assignment of malicious properties to all objects in the program, facilitating prototype pollution. **Recommendations** For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting user input to prevent exploitation of the dset function until a patch is applied. Avoid using the ` proto ` property in the dset function to minimize the risk of prototype pollution.

**Name of the Vulnerable Software and Affected Versions** web3-utils versions prior to 4.2.1 **Description** The issue concerns Prototype Pollution via the utility functions `format` and `mergeDeep` due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions. **Recommendations** For versions prior to 4.2.1, upgrade to web3-utils version 4.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of the `mergeDeep()` function until the upgrade is applied. Additionally, be cautious when using the `format` function with untrusted input to minimize the risk of exploitation.