Vulnerability DatabaseCVE-2023-46308
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-46308
January 03, 2024
In Plotly plotly.js before 2.25.2, plot API calls have a risk of proto being polluted in expandObjectPaths or nestedProperty.
Affected Packages
plotly.js (CDN_JS):
Affected version(s) >=1.0.0 <2.25.2
Fix Suggestion:
Update to version 2.25.2
plotly.js (NPM):
Affected version(s) >=1.0.0 <2.25.2
Fix Suggestion:
Update to version 2.25.2
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (8)
https://plotly.com/javascript
https://github.com/plotly/plotly.js/releases/tag/v2.25.2
https://plotly.com/javascript/
https://github.com/plotly/plotly.js/commit/02498404c8ad7a3395191e65694fb142a37b0fe9
https://nvd.nist.gov/vuln/detail/CVE-2023-46308
https://github.com/plotly/plotly.js/commit/5efd2a1f07a418b230a5626fc6c1c7929c47949d
https://github.com/plotly/plotly.js
https://github.com/plotly/plotly.R/issues/2463
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321
EPSS
Base Score:
0.15