This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-10-29T08:05:17.720774Z

Updated: 2024-09-16T19:25:49.326Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7746

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-10-29T08:15:12.007

Modified: 2024-11-21T05:37:43.483

Link: CVE-2020-7746

cve-icon Redhat

Severity : Important

Publid Date: 2020-10-19T00:00:00Z

Links: CVE-2020-7746 - Bugzilla