Ik kreeg vandaag dit mailtje over onze website, lijkt me spam/phishing. Klopt?
P.S. Ik hoop dat ik dit in het juiste subforum hebt geplaatst.Hello Team,
I am Devansh working as a security researcher and I found a bug in your site.
Report of bug is as follows:
Vulnerability name: Prototype pollution
Vulnerability Description
$.extend can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. Note that only the "deep" version of $.extend is affected.
Users sometimes use $.extend for things like cloning an object or filling in defaults in an object with some options in it. It is not at all obvious that this is an unsafe operation.
An Object.prototype pollution vulnerability existed within the j Query dependency
In jQuery before some versions the function merge() could be tricked into adding or modifying properties of Object.prototype using a proto payload.
Step to Reproduce:
1- Visit to the website
2- Go to inspect element then paste this payload in console $.extend(true, {}, JSON.parse('{"proto": {"devMode": true}}'))
Impact:
With prototype pollution, an attacker might control the default values of an object's properties. This allows the attacker to tamper with the logic of the application and can also lead to denial of service or, in extreme cases, remote code execution.
video poc attached
Thanks & Regards
Devansh
/u/28468/librarian2.png?f=community)
:strip_icc():strip_exif()/u/37855/icoon.jpg?f=community)