Merge pull request #150 from AikidoSec/new-in-php-date-formatter

willem-delbare · web-flow · commit 4dc647ffef9e · 2025-02-07T17:34:40.000+01:00
new vulnerability in php-date-formatter
diff --git a/vulnerabilities/AIKIDO-2025-10081.json b/vulnerabilities/AIKIDO-2025-10081.json
@@ -0,0 +1,27 @@
+{
+  "package_name": "php-date-formatter",
+  "patch_versions": [
+    "1.3.7"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.2.0",
+      "1.3.6"
+    ]
+  ],
+  "cwe": [
+    "CWE-1321"
+  ],
+  "tldr": "Affected versions of `php-date-formatter` are vulnerable to a prototype pollution when using the `DateFormatter` class.",
+  "doest_this_affect_me": "You are affected if you use a vulnerable version of `php-date-formatter`.",
+  "how_to_fix": "Upgrade `php-date-formatter` to a patch version.",
+  "reporter": "",
+  "vulnerable_to": "Prototype Pollution",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "MEDIUM",
+  "aikido_score": 40,
+  "changelog": "https://github.com/kartik-v/php-date-formatter/releases/tag/v1.3.7",
+  "last_modified": "2025-02-07",
+  "published": "2025-02-07"
+}
