CVE-2020-28458

HIGH

Datatables.net < 1.10.23 - Prototype Pollution

Title source: rule

Description

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

Exploits (2)

nomisec WORKING POC 6 stars

by fazilbaig1 · poc

https://github.com/fazilbaig1/CVE-2020-28458

View Code ZIP pw:eip

nomisec WORKING POC

by Raka200juta · poc

https://github.com/Raka200juta/28458

View Code ZIP pw:eip

References (7)

[Patch, Third Party Advisory] https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03

[Broken Link, Third Party Advisory] https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766

[Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961

[Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962

[Third Party Advisory] https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240621-0006/

Scores

CVSS v3 7.3

EPSS 0.0123

EPSS Percentile 79.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-1321

Status published

Products (2)

datatables/datatables.net < 1.10.23

npm/datatables.net 0 - 1.10.22npm

Published Dec 16, 2020

Tracked Since Feb 18, 2026