Candidate: CVE-2020-7746
PublicDate: 2020-10-29 08:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7746
 https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716
 https://github.com/chartjs/Chart.js/pull/7920
Description:
 This affects the package chart.js before 2.9.4. The options parameter is
 not properly sanitized when it is processed. When the options are
 processed, the existing options (or the defaults options) are deeply merged
 with provided options. However, during this operation, the keys of the
 object being set are not checked, leading to a prototype pollution.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_node-chart.js:
upstream_node-chart.js: released (2.9.4+dfsg+~cs2.10.1-1)
precise/esm_node-chart.js: DNE
trusty_node-chart.js: ignored (out of standard support)
trusty/esm_node-chart.js: DNE
xenial_node-chart.js: DNE
bionic_node-chart.js: DNE
focal_node-chart.js: needs-triage
groovy_node-chart.js: ignored (reached end-of-life)
hirsute_node-chart.js: not-affected (2.9.4+dfsg+~cs2.10.1-1)
impish_node-chart.js: not-affected (2.9.4+dfsg+~cs2.10.1-1)
jammy_node-chart.js: not-affected (2.9.4+dfsg+~cs2.10.1-1)
devel_node-chart.js: not-affected (2.9.4+dfsg+~cs2.10.1-1)