CVE-2020-7679

Name of the Vulnerable Software and Affected Versions casperjs versions (affected versions not specified)

Description The issue concerns a Prototype Pollution vulnerability via the mergeObjects utility function in casperjs, a navigation scripting and testing utility for PhantomJS and SlimerJS. This vulnerability allows for the pollution of the prototype, potentially leading to unintended behavior or security issues. The estimated number of potentially affected devices worldwide is not available. There is no information provided about real-world incidents where this issue was exploited. Technical details about exploitation include the use of the mergeObjects function, where an attacker could pass a malicious payload to pollute the prototype. For example, using a payload like {" proto ": {"a": "pwned"}} and then calling mergeObjects({}, payload) could lead to the prototype being polluted, as demonstrated by console.log({}.a) printing "pwned".

Recommendations As a temporary workaround, consider disabling the mergeObjects function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.