Vulnerability Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chartjs | Chart.Js | < 2.9.4 |
Related Weaknesses (CWE)
References
- https://github.com/chartjs/Chart.js/pull/7920PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716ExploitThird Party Advisory
- https://github.com/chartjs/Chart.js/pull/7920PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716ExploitThird Party Advisory
FAQ
What is CVE-2020-7746?
CVE-2020-7746 is a vulnerability with a CVSS score of 7.5 (HIGH). This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are...
How severe is CVE-2020-7746?
CVE-2020-7746 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7746?
Check the references section above for vendor advisories and patch information. Affected products include: Chartjs Chart.Js.