CVEs-PoC/2021/CVE-2021-23771.md

### [CVE-2021-23771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23771)
![](https://img.shields.io/static/v1?label=Product&message=argencoders-notevil&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=notevil&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Sandbox%20Bypass&color=brightgreen)

### Description

This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587
- https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946

#### Github
No PoCs found on GitHub currently.