You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Please upgrade these dependencies.
The text was updated successfully, but these errors were encountered:
According to GitHub Dependabot, used versions of
axiosanddexieare vulnerablengx-jsonapi/package.json
Lines 154 to 155 in 6a50dc5
Dexie:
Affected versions: < 3.2.2
Patched version: 3.2.2
Axios:
Affected versions: >= 0.8.1, < 1.6.0
Patched version: 1.6.0
Please upgrade these dependencies.
The text was updated successfully, but these errors were encountered: