CVE-2021-23682 Information

Jun 07, 2022 cve

Description

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2 before 0.11.1. When parsing the query string in the getJsonFromUrl function the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820 https://github.com/appwrite/appwrite/pull/2778 https://github.com/litespeed-js/litespeed.js/pull/18 https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250 https://github.com/appwrite/appwrite/releases/tag/0.12.2 https://github.com/appwrite/appwrite/releases/tag/0.11.1

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: