org.webjars.npm:ag-grid-community 20.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:ag-grid-community package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improperly Controlled Modification of Dynamically-Determined Object Attributes org.webjars.npm:ag-grid-community is a fully-featured and highly customizable JavaScript data grid. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the `_.mergeDeep` function. An attacker can execute arbitrary code or cause a disruption of service by modify built-in `Object.prototype` with an argument containing a special property `__proto__` to pollute the application logic. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `org.webjars.npm:ag-grid-community` to version 32.2.0 or higher.	[,32.2.0)
M Cross-site Scripting (XSS) org.webjars.npm:ag-grid-community is a fully-featured and highly customizable JavaScript data grid. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). By using `cellRenderer` with a simple function and `valueFormatter` together, you are able to target the `loadTemplate` function, which executes the script since it is using the `innerHTML` property. This is only the case when you are returning a string, number, or boolean. PoC // An example application: https://embed.plnkr.co/plunk/fbtYhl // Replace ColumnDefinition with below headerName: "Ag grid Testing Header 1 With Long text", field: "value", headerComponent: "CustomHeader", valueFormatter: () => `><img src=x onerror=prompt(document.domain)>` }, How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:ag-grid-community` to version 25.3.0 or higher.	[,25.3.0)

Vulnerability

Vulnerable Version

Improperly Controlled Modification of Dynamically-Determined Object Attributes

org.webjars.npm:ag-grid-community is a fully-featured and highly customizable JavaScript data grid.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the _.mergeDeep function. An attacker can execute arbitrary code or cause a disruption of service by modify built-in Object.prototype with an argument containing a special property __proto__ to pollute the application logic.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade org.webjars.npm:ag-grid-community to version 32.2.0 or higher.

[,32.2.0)

Cross-site Scripting (XSS)

org.webjars.npm:ag-grid-community is a fully-featured and highly customizable JavaScript data grid.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). By using cellRenderer with a simple function and valueFormatter together, you are able to target the loadTemplate function, which executes the script since it is using the innerHTML property.

This is only the case when you are returning a string, number, or boolean.

PoC

// An example application: https://embed.plnkr.co/plunk/fbtYhl
// Replace ColumnDefinition with below
                  headerName: "Ag grid Testing Header 1 With Long text",
                  field: "value",
                   headerComponent: "CustomHeader",
                   valueFormatter: () => `><img src=x onerror=prompt(document.domain)>`
              },

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:ag-grid-community to version 25.3.0 or higher.

[,25.3.0)

org.webjars.npm:ag-grid-community@20.1.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?

PoC