VulnerableCode Package Details - pkg:rpm/redhat/ovirt-web-ui@1.6.7-1?arch=el8ev

Search for packages

Vulnerability	Summary	Fixed by
VCID-akqv-e39m-hye2 Aliases: CVE-2020-28477 GHSA-9qmh-276g-x5pj	Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.	There are no reported fixed by versions.
VCID-gj58-zp49-2bdc Aliases: CVE-2019-20921 GHSA-7c82-mp33-r854	Cross-site scripting in bootstrap-select bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.	There are no reported fixed by versions.
VCID-v1ua-7a48-a7b1 Aliases: CVE-2020-28458 GHSA-m7j4-fhg6-xf5v	datatables.net vulnerable to Prototype Pollution due to incomplete fix All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-akqv-e39m-hye2
Aliases:
CVE-2020-28477
GHSA-9qmh-276g-x5pj

Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.

There are no reported fixed by versions.

VCID-gj58-zp49-2bdc
Aliases:
CVE-2019-20921
GHSA-7c82-mp33-r854

Cross-site scripting in bootstrap-select bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

There are no reported fixed by versions.

VCID-v1ua-7a48-a7b1
Aliases:
CVE-2020-28458
GHSA-m7j4-fhg6-xf5v

datatables.net vulnerable to Prototype Pollution due to incomplete fix All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:20:55.616050+00:00	RedHat Importer	Affected by	VCID-gj58-zp49-2bdc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20921.json	38.0.0
2026-04-01T14:04:06.833099+00:00	RedHat Importer	Affected by	VCID-v1ua-7a48-a7b1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28458.json	38.0.0
2026-04-01T14:03:27.689382+00:00	RedHat Importer	Affected by	VCID-akqv-e39m-hye2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28477.json	38.0.0