A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
An attacker provides a specially crafted payload to the util-deps.addFileDepend function, which does not properly validate the keys passed to objects. As a result, it is possible to modify the global JavaScript prototype — Object.prototype — by injecting arbitrary properties into it. The polluted prototype is inherited by all objects in the application, which can lead to unpredictable runtime behavior and service failure (DoS). Publicly available PoC code confirming the possibility of exploiting the vulnerability can be found in the references.
An attacker can cause denial of service (DoS) by destabilizing the JavaScript environment. Depending on the application context, Prototype Pollution may also pave the way for privilege escalation or remote code execution.
Apply patches available from the manufacturer according to the references. Until an update is applied, it is recommended to restrict the ability to pass untrusted input data to the util-deps.addFileDepend function.
The magix-combine-ex package in versions up to and including 1.2.10 (thru 1.2.10).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMagix Combine Ex Project Magix Combine Ex
APPMagix-Combine-Ex Project≤ 1.2.10