CVE-2023-0842

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-0842

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0842.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-0842

Aliases

GHSA-776f-qx25-q3cc

Downstream

DEBIAN-CVE-2023-0842

DLA-3760-1

UBUNTU-CVE-2023-0842

Published

2023-04-05T20:15:07Z

Modified

2025-10-10T04:22:05.441123Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

References

Affected packages

Git / github.com/leonidas-from-xiv/node-xml2js

Affected ranges

Type: GIT
Repo: https://github.com/leonidas-from-xiv/node-xml2js
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cf3e061e22e98152b88068c2345bc02581f4d6c7

Affected versions

0.*

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.4.0

0.4.1

0.4.10

0.4.11

0.4.12

0.4.13

0.4.15

0.4.16

0.4.17

0.4.18

0.4.19

0.4.2

0.4.20

0.4.21

0.4.22

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.6.0

0.6.1