GHSA-78p3-fwcq-62c2: 
JavaScript vulnerability analysis and mitigation

A high severity vulnerability was discovered in @saltcorn/server versions <= 1.0.0-beta.13, identified as GHSA-78p3-fwcq-62c2. The vulnerability exists in the endpoint /site-structure/localizer/save-string/:lang/:defstring which accepts two parameter values (lang and defstring) that are used unsafely to set keys and values of the cfgStrings object. This vulnerability was disclosed on October 3, 2024, and has been patched in version 1.0.0-beta.14 (GitHub Advisory).

The vulnerability stems from prototype pollution in the localizer string-saving functionality. The endpoint fails to properly validate the lang and defstring parameters before using them to modify the cfgStrings object. This allows attackers to add or modify properties of the Object prototype, leading to multiple security issues. The vulnerability has a CVSS score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low complexity, high privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability can lead to multiple severe security issues: Remote Code Execution (RCE) through pollution of the tempRootFolder property, SQL injection vulnerabilities when using PostgreSQL database by polluting the schema property, and various business logic errors. The impact affects both the application's integrity and the underlying system's security (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-beta.14. The recommended mitigation involves checking the values of lang and defstring parameters against dangerous properties like proto, constructor, and prototype. Users should upgrade to the patched version as soon as possible (GitHub Commit).