VDB
CVE-2020-7746
CVE-2020-7746
PUBLISHED
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
EPSS 0.21% · 43.7th percentile
Risk Scores
EPSS Score
0.21%
43.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | node-chart.js | 0, 2.9.3+dfsg-1, 2.9.3+dfsg-2 |
Exploit Intelligence
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375 (nist-nvd)
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376 (nist-nvd)
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374 (nist-nvd)
- https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716 (nist-nvd)
- zap.html (github-poc)
- zap.html (github-poc)
- zap.html (github-poc)
- zap.html (github-poc)
- zap.html (github-poc)
- zap.html (github-poc)
…and 10 more exploits
Timeline
- Oct 29, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Jul 21, 2021 CVE Updated
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-7746 third-party-advisory
- https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716 third-party-advisory
- https://github.com/chartjs/Chart.js/pull/7920 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-7746 third-party-advisory