Search criteria
2 vulnerabilities by relative
CVE-2023-45811 (GCVE-0-2023-45811)
Vulnerability from cvelistv5 – Published: 2023-10-17 22:37 – Updated: 2024-09-13 15:29
VLAI
Title
Prototype pollution vulnerability leading to arbitrary code execution in synchrony deobfuscator
Summary
Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/relative/synchrony/security/ad… | x_refsource_CONFIRM |
| https://github.com/relative/synchrony/commit/b583… | x_refsource_MISC |
| https://github.com/relative/synchrony/security/ad… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx"
},
{
"name": "https://github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40"
},
{
"name": "https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:relative:synchrony:*:*:*:*:*:nodejs:*:*"
],
"defaultStatus": "unknown",
"product": "synchrony",
"vendor": "relative",
"versions": [
{
"lessThan": "2.4.4",
"status": "affected",
"version": "2.0.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T15:26:06.582156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T15:29:09.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synchrony",
"vendor": "relative",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.1, \u003c 2.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synchrony deobfuscator is a javascript cleaner \u0026 deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T22:37:20.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx"
},
{
"name": "https://github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40"
},
{
"name": "https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts"
}
],
"source": {
"advisory": "GHSA-jg82-xh3w-rhxx",
"discovery": "UNKNOWN"
},
"title": "Prototype pollution vulnerability leading to arbitrary code execution in synchrony deobfuscator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45811",
"datePublished": "2023-10-17T22:37:20.249Z",
"dateReserved": "2023-10-13T12:00:50.437Z",
"dateUpdated": "2024-09-13T15:29:09.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-7077 (GCVE-0-2008-7077)
Vulnerability from cvelistv5 – Published: 2009-08-25 10:00 – Updated: 2024-08-07 11:56
VLAI
Summary
Multiple SQL injection vulnerabilities in SailPlanner 0.3a allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/32521 | vdb-entryx_refsource_BID |
| https://www.exploit-db.com/exploits/7267 | exploitx_refsource_EXPLOIT-DB |
| http://www.juniper.net/security/auto/vulnerabilit… | x_refsource_MISC |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
Date Public
2008-11-28 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:56:14.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32521",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32521"
},
{
"name": "7267",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7267"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.juniper.net/security/auto/vulnerabilities/vuln32521.html"
},
{
"name": "sailplanner-username-sql-injection(46932)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46932"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in SailPlanner 0.3a allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32521",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32521"
},
{
"name": "7267",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7267"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.juniper.net/security/auto/vulnerabilities/vuln32521.html"
},
{
"name": "sailplanner-username-sql-injection(46932)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46932"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in SailPlanner 0.3a allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32521",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32521"
},
{
"name": "7267",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7267"
},
{
"name": "http://www.juniper.net/security/auto/vulnerabilities/vuln32521.html",
"refsource": "MISC",
"url": "http://www.juniper.net/security/auto/vulnerabilities/vuln32521.html"
},
{
"name": "sailplanner-username-sql-injection(46932)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46932"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7077",
"datePublished": "2009-08-25T10:00:00.000Z",
"dateReserved": "2009-08-24T00:00:00.000Z",
"dateUpdated": "2024-08-07T11:56:14.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}