CVE-2023-2582

MEDIUM Year: 2023
CVSS v3 Score
6.1
Medium
Weakness Type
CWE-1321
View all →

Vulnerability Description

A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser.

Related Vulnerabilities

CVE-2019-11358

MEDIUM
CVSS:6.1(Medium)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an en...

CWE-13212019

CVE-2021-43956

MEDIUM
CVSS:6.1(Medium)

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.

CWE-13212021

CVE-2022-21169

MEDIUM
CVSS:6.1(Medium)

The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.

CWE-13212022

CVE-2022-23395

MEDIUM
CVSS:6.1(Medium)

jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).

CWE-13212022

CVE-2022-3901

MEDIUM
CVSS:6.1(Medium)

Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.

CWE-13212022

CVE-2024-21528

MEDIUM
CVSS:5.9(Medium)

All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.

CWE-13212024