PT-2020-20978 — Prototype Pollution in @Commercial Subtext

PT-2020-20978 · @Commercial · Subtext

Published

2020-09-03

Updated

2020-09-03

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions @commercial/subtext versions prior to 5.1.2

Description The issue allows a multipart payload to be constructed in a way that one of the parts' content can be set as the entire payload object's prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Recommendations Upgrade to version 5.1.2 or later.

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

GHSA-36C4-4R89-6WHG

Affected Products

Subtext

PT-2020-20978 · @Commercial · Subtext

Weakness Enumeration

Related Identifiers

Affected Products

References · 2