CVE-2020-28458: 
JavaScript vulnerability analysis and mitigation

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for a previous vulnerability. The vulnerability was discovered on October 7, 2020, and disclosed on December 16, 2020. This vulnerability affects the DataTables for jQuery package and its implementations across various platforms (NVD, Snyk).

The vulnerability is identified as a Prototype Pollution issue that occurs when 'constructor' is used in a data property name. It has been assigned a CVSS v3.1 base score of 7.3 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction. The vulnerability affects the security properties of Confidentiality, Integrity, and Availability, all rated as Low impact (Snyk).

When successfully exploited, this vulnerability can lead to Prototype Pollution, which may result in denial of service, remote code execution potential, or property injection. The impact includes possible information disclosure, data modification, and interruptions in resource availability. The vulnerability allows attackers to inject properties into existing JavaScript language construct prototypes (Snyk).

The recommended mitigation is to upgrade datatables.net to version 1.10.23 or higher. For the Java implementations, org.webjars.bower:datatables.net should be upgraded to version 1.10.25 or higher, and org.webjars.npm:datatables.net should be upgraded to version 2.1.2 or higher (Snyk, Snyk).