Invia #832447: RubyLouvre avalon 0.9.9 - 2.2.10 Code Injection / Prototype Pollutioninformazioni

TitoloRubyLouvre avalon 0.9.9 - 2.2.10 Code Injection / Prototype Pollution
DescrizioneAvalon MVVM framework stores template filters in a plain object (avalon.filters = {}) and accesses them via bracket notation without hasOwnProperty protection. Attackers can access Object.prototype properties through filter names like __proto__ or constructor. Combined with the template parser's use of new Function() for expression compilation, this enables Remote Code Execution when an attacker controls template content. Project is unmaintained since 2019 but still widely used in legacy systems.
Fonte⚠️ https://github.com/OriginSecurityX/avalon-filter-rce
Utente
 Frederick (UID 98351)
Sottomissione18/05/2026 12:00 (28 giorni fa)
Moderazione14/06/2026 14:27 (27 days later)
StatoAccettato
Voce VulDB370851 [RubyLouvre avalon fino a 2.2.10 Template Filter src/filters/index.js]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!