Type Confusion Vulnerability in JavascriptGeneratorFunction

vendor:

N/A

by:

Anonymous

8.8

CVSS

HIGH

Type Confusion

843

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

Type Confusion Vulnerability in JavascriptGeneratorFunction

The vulnerable method exposes 'scriptFunction' as 'this' when getting the 'length' property. A proof of concept code is provided which uses the __defineGetter__() method to set the 'length' property of the function to a variable, which is then used to call the 'scriptFunction' with arbitrary parameters, leading to type confusion.

Mitigation:

Ensure that the 'scriptFunction' is not exposed to user JavaScript code.

Source

Type Confusion Vulnerability in JavascriptGeneratorFunction

Mitigation:

Exploit-DB raw data: