Improperly Controlled Modification of Object Prototype Attributes Vulnerability in Convict
CVE-2023-0163

Currently unrated

Key Information:

Vendor
Mozilla
Status
Vendor
CVE Published:
26 November 2024

Summary

A prototype pollution vulnerability exists in Mozilla Convict that enables an attacker to manipulate object prototype attributes. This can occur through improper controls, allowing the injection of new attributes or the modification of existing ones with incompatible types. Such actions may lead to operational issues, including potential crashes of the server. Primarily used for managing server-side configuration settings, Convict is often administered by server owners, which minimizes the likelihood of intentional misuse. However, this vulnerability underscores a risk if an unsuspecting administrator is deceived into embedding malicious JavaScript code within configuration files.

Affected Version(s)

Convict 0 < 6.2.4

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Captain-K-101
.