April 21, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
November 4, 2021Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
November 5, 2021Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
November 4, 2021Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
November 5, 2021
Severity
High
Analysis Summary
CVE-2021-23820
Node.js json-pointer module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer components. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2021-23807
Node.js jsonpointer module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer components. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2021-23784
Node.js tempura module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the esc function. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2021-23624
Node.js dotty module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the path parameter. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2021-23509
Node.js json-ptr module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer parameter. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2021-23472
Node.js bootstrap-table module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Impact
- Code Execution
- Cross-Site Scripting
Affected Vendors
Node.js
Affected Products
- Node.js json-pointer 0.6.1
- Node.js jsonpointer 4.1.0
- Node.js tempura 0.3.2
- Node.js dotty 0.1.1
- Node.js json-ptr 2.2.0
- Node.js bootstrap-table 1.18.3
Remediation
Upgrade to the latest version of jsonpointer, available from the NPM Web site.
