Payment systems are a tidbit for an attacker, but often it’s non-achievable scope for bug hunters outside the company. Bug bounty programs of financial organizations include resources that are on the surface of the attack, and it’s quite difficult for a researcher to dig deeper into the internal financial processes. So we have to limit ourselves with XSS, SSRF in a web-application of the payment system.
To properly implement a product maturity program, organizations need to embed and grow security expertise. Cultivation of application security champions requires the right pivot point in the following topic: application bug hunting and mitigation strategy.
We discovered two more JS Prototype Pollution vulnerabilities in one more nmp-package: CVE-2020-28449, CVE-2020-28450. The package has ~200 weekly downloads, so the popularity level is limited. However, due to the patch is still unavailable check the details and make sure that your Node.js app is not affected.