Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-0163
Analyzed
More InfoOfficial Page
Source-security@mozilla.org
View Known Exploited Vulnerability (KEV) details
Published At-26 Nov, 2024 | 12:15
Updated At-15 Oct, 2025 | 17:51

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.4HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Mozilla Corporation
mozilla
>>convict>>Versions before 6.2.4(exclusive)
cpe:2.3:a:mozilla:convict:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-1321Secondarysecurity@mozilla.org
CWE ID: CWE-1321
Type: Secondary
Source: security@mozilla.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/mozilla/node-convict/issues/410security@mozilla.org
Exploit
Issue Tracking
https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jfsecurity@mozilla.org
Vendor Advisory
Hyperlink: https://github.com/mozilla/node-convict/issues/410
Source: security@mozilla.org
Resource:
Exploit
Issue Tracking
Hyperlink: https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf
Source: security@mozilla.org
Resource:
Vendor Advisory
Change History
0Changes found
Details not found