CVE-2021-23682

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
appwriteappwrite
𝑥
< 0.11.1
appwriteappwrite
0.12.0 ≤
𝑥
< 0.12.2
litespeed.js_projectlitespeed.js
𝑥
< 0.3.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/appwrite/appwrite/pull/2778
https://github.com/appwrite/appwrite/releases/tag/0.11.1
https://github.com/appwrite/appwrite/releases/tag/0.12.2
https://github.com/litespeed-js/litespeed.js/pull/18
https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250
https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820
https://github.com/appwrite/appwrite/pull/2778
https://github.com/appwrite/appwrite/releases/tag/0.11.1
https://github.com/appwrite/appwrite/releases/tag/0.12.2
https://github.com/litespeed-js/litespeed.js/pull/18
https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250
https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820