Search
Total
56 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2024-01-09 | N/A | 9.8 CRITICAL |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||||
| CVE-2022-29823 | 1 Feathersjs | 1 Feathers-sequelize | 2024-01-02 | N/A | 9.8 CRITICAL |
| Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2023-11-14 | N/A | 9.8 CRITICAL |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | |||||
| CVE-2023-1717 | 1 Bitrix24 | 1 Bitrix24 | 2023-11-09 | N/A | 9.6 CRITICAL |
| Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`. | |||||
| CVE-2021-26505 | 1 Hello.js Project | 1 Hello.js | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | |||||
| CVE-2023-2972 | 1 Antfu | 1 Utils | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | |||||
| CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | |||||
| CVE-2021-25914 | 1 Fireblink | 1 Object-collider | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25941 | 1 Deep-override Project | 1 Deep-override | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25912 | 1 Dotty Project | 1 Dotty | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25913 | 1 Set-or-get Project | 1 Set-or-get | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25916 | 1 Patchmerge Project | 1 Patchmerge | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25927 | 1 Safe-flat Project | 1 Safe-flat | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25928 | 1 Manta | 1 Safe-obj | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25943 | 1 101 Project | 1 101 | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25944 | 1 Deep-defaults Project | 1 Deep-defaults | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25946 | 1 Nconf-toml Project | 1 Nconf-toml | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25947 | 1 Nestie Project | 1 Nestie | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25953 | 1 Putil-merge Project | 1 Putil-merge | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2023-08-02 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | |||||
| CVE-2023-3186 | 1 Supsystic | 1 Popup | 2023-07-28 | N/A | 9.8 CRITICAL |
| The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. | |||||
| CVE-2021-3645 | 1 Merge Project | 1 Merge | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3766 | 1 Objection Project | 1 Objection | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3918 | 1 Json-schema Project | 1 Json-schema | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-23450 | 2 Linuxfoundation, Oracle | 3 Dojo, Communications Policy Management, Primavera Unifier | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | |||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | |||||
| CVE-2021-40663 | 1 Deep.assign Project | 1 Deep.assign | 2022-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2022-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2022-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||
| CVE-2022-24760 | 3 Canonical, Microsoft, Parseplatform | 3 Ubuntu Linux, Windows, Parse-server | 2022-07-01 | 7.5 HIGH | 10.0 CRITICAL |
| Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. | |||||
| CVE-2019-19919 | 2 Handlebars.js Project, Tenable | 2 Handlebars.js, Tenable.sc | 2022-06-03 | 7.5 HIGH | 9.8 CRITICAL |
| Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. | |||||
| CVE-2021-42581 | 1 Ramdajs | 1 Ramda | 2022-06-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes. | |||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | |||||
| CVE-2022-22143 | 1 Mozilla | 1 Convict | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | |||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | |||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | |||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | |||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2022-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | |||||
| CVE-2021-23470 | 1 Putil-merge Project | 1 Putil-merge | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 | |||||
| CVE-2021-23760 | 1 Keyget Project | 1 Keyget | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-28272](https://security.snyk.io/vuln/SNYK-JS-KEYGET-1048048) | |||||
| CVE-2021-23558 | 1 Bmoor Project | 1 Bmoor | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664) | |||||
| CVE-2021-23518 | 1 Cached-path-relative Project | 1 Cached-path-relative | 2022-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 | |||||
| CVE-2021-23568 | 1 Eggjs | 1 Extend2 | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. | |||||
| CVE-2021-23594 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 10.0 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-23543 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-23574 | 1 Js-data | 1 Js-data | 2022-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655). | |||||
| CVE-2020-28270 | 1 Mjpclab | 1 Object-hierarchy-access | 2022-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||||