This can be exploited to inject arbitrary key-value pairs into the application's internal data structures, leading to a potential information disclosure or data injection attack. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
In addition to the '__proto__' field, the application also allows editing of the 'static_data' property, which is included into the application's database. This allows the injection of arbitrary data into the database, which can be leveraged to launch different types of attacks against the application. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
In addition to the '__proto__' field, the application also allows editing of the 'static_data' property, which is included into the application's database. This allows the injection of arbitrary data into the database, which can be leveraged to launch different types of attacks against the application. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
Dependencies of the vulnerability
This vulnerability has been exploited to launch attacks against this application. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
********************************
1) The '__proto__' field allows an attacker to inject arbitrary key-value pairs into the application's internal data structures, leading to a potential information disclosure or data injection attack.
2) The 'static_data' property allows an attacker to inject arbitrary data into the database, which can be leveraged to launch different types of attacks against the application.
Summary
This issue is a result of a lack of input validation in the application's handling of "static_data" property, which is included into the application's database. This field is accessible through the __proto__ field, and allows for arbitrary key-value pairs to be injected into the application's internal data structures. This can be exploited to inject arbitrary key-value pairs into the application's internal data structures, leading to a potential information disclosure or data injection attack.
2.3.4 - Improper Restriction of user-supplied input
The application allows for the user to enter arbitrary key-value pairs, as demonstrated by a demonstration of key-value pair injection. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
The application allows for the user to enter arbitrary key-value pairs, as demonstrated by a demonstration of key-value pair injection. ************************ This issue was discovered by Pedro Vilares of Vrije Universiteit Amsterdam during a penetration test. ************************
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/05/2022 00:31:00 UTC