CVE-2019-10768

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions AngularJS versions prior to 1.7.9

Description The issue concerns the merge() function, which can be tricked into adding or modifying properties of Object.prototype using a proto payload. This may allow an attacker to add or modify an existing property that will exist on all objects. The problem arises because the deprecated API function merge() does not restrict the modification of an Object's prototype.

Recommendations For versions prior to 1.7.9, upgrade to version 1.7.9 or later.

Exploit

Fix

Prototype Pollution

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-915CWE-1321CWE-20

Related Identifiers

CVE-2019-10768

GHSA-89MQ-4X47-5V83

RHSA-2022:8849

RHSA-2022:8866

RHSA-2023:0274

SNYK-JS-ANGULAR-534884

Affected Products

Angularjs

Debian

CVE-2019-10768

Weakness Enumeration

Related Identifiers

Affected Products

References · 16