CVE-2020-7746
Summary
| CVE | CVE-2020-7746 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-10-29 08:15:00 UTC |
| Updated | 2022-12-02 19:44:00 UTC |
| Description | This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. |
Risk And Classification
Problem Types: CWE-1321
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Use Object.create(null) as `merge` target, to prevent prototype pollution by kurkle · Pull Request #7920 · chartjs/Chart.js · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Prototype Pollution in chart.js | Snyk | CONFIRM | snyk.io | Exploit |
| Prototype Pollution in org.webjars.npm:chart.js | Snyk | CONFIRM | snyk.io | Exploit, Third Party Advisory |
| Prototype Pollution in org.webjars.bowergithub.chartjs:chart.js | Snyk | CONFIRM | snyk.io | Exploit, Third Party Advisory |
| Prototype Pollution in org.webjars.bower:chart.js | Snyk | CONFIRM | snyk.io | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Alessio Della Libera (d3lla)
Legacy QID Mappings
- 379374 Zimbra Collaboration Suite (ZCS) Multiple Vulnerabilities
- 590764 Mitsubishi Electric EcoWebServerIII Multiple Vulnerabilities (ICSA-22-055-02)
- 590808 Mitsubishi Electric EcoWebServerIII Multiple Vulnerabilities (ICSA-22-055-02)
- 981833 Nodejs (npm) Security Update for chart.js (GHSA-h68q-55jf-x68w)