CVE-2020-28480 — Prototype pollution in JointJS

Description

The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution.

How to fix CVE-2020-28480

To remediate CVE-2020-28480, upgrade the affected package to a fixed version below.

npm/jointjs—upgrade to 3.3.0 or later

Is CVE-2020-28480 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.3.0

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-28480
WEBgithub.com/clientIO/joint/blob/master/src/util/util.mjs%23L150
WEBgithub.com/clientIO/joint/pull/1406
WEBsnyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1062037
WEB