Name: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description: The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Name: External Control of Assumed-Immutable Web Parameter
Description: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Due Date: 2023-01-10
A medium severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 915
Cwe Name: Improperly Controlled Modification of Dynamically Determined Object Attributes
Cwe Link: https://cwe.mitre.org/data/definitions/915.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description: The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/mass_assignment/generic
Videos:
Name: External Control of Assumed-Immutable Web Parameter
Description: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/access/untrusted_source
Videos:
Tool Description: ### Summary
Prototype Pollution in Ajv
Fixed Patch
6.12.3
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e702 Deeplink: https://github.com/advisories/GHSA-v88g-cgmw-v5xw