CVE-2020-7746 - Prototype Pollution
Severity: None2023-11-09
Abstract
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
The Oxygen products incorporate chart.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v25.1.0.1 and older | None | N/A |
Detail
CVE-2020-7746
Severity: Critical
CVSS Score: 9.8
The chart.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7746 vulnerability description. However, since this library doesn't use user controlled options, this vulnerability does not affect Oxygen products.