Search
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39296 | 1 Qnap | 2 Qts, Quts Hero | 2024-01-11 | N/A | 7.5 HIGH |
| A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later | |||||
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2024-01-09 | N/A | 9.8 CRITICAL |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||||
| CVE-2022-29823 | 1 Feathersjs | 1 Feathers-sequelize | 2024-01-02 | N/A | 9.8 CRITICAL |
| Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||||
| CVE-2023-26920 | 1 Naturalintelligence | 1 Fast Xml Parser | 2023-12-14 | N/A | 6.5 MEDIUM |
| fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. | |||||
| CVE-2023-26158 | 1 Mockjs | 1 Mock.js | 2023-12-12 | N/A | 8.2 HIGH |
| All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability. Workaround By using a denylist of dangerous attributes, this weakness can be eliminated. Add the following line in the Util.extend function: js js if (["__proto__", "constructor", "prototype"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i < length; i++) { options = arguments[i] if (!options) continue for (name in options) { if (["__proto__", "constructor", "prototype"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target } | |||||
| CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2023-11-30 | N/A | 7.1 HIGH |
| Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | |||||
| CVE-2022-46175 | 2 Fedoraproject, Json5 | 2 Fedora, Json5 | 2023-11-26 | N/A | 8.8 HIGH |
| JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. | |||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2023-11-14 | N/A | 9.8 CRITICAL |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | |||||
| CVE-2023-1717 | 1 Bitrix24 | 1 Bitrix24 | 2023-11-09 | N/A | 9.6 CRITICAL |
| Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`. | |||||
| CVE-2021-26505 | 1 Hello.js Project | 1 Hello.js | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | |||||
| CVE-2023-2972 | 1 Antfu | 1 Utils | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | |||||
| CVE-2021-20086 | 1 Jquery-bbq Project | 1 Jquery-bbq | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-20088 | 1 Mootools | 1 Mootools-more | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-20087 | 1 Acemetrix | 1 Jquery-deparam | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-25914 | 1 Fireblink | 1 Object-collider | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25941 | 1 Deep-override Project | 1 Deep-override | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23408 | 1 Graphhopper | 1 Graphhopper | 2023-08-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. | |||||
| CVE-2021-25953 | 1 Putil-merge Project | 1 Putil-merge | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | |||||
| CVE-2021-23395 | 1 Nedb Project | 1 Nedb | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | |||||
| CVE-2021-25947 | 1 Nestie Project | 1 Nestie | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25946 | 1 Nconf-toml Project | 1 Nconf-toml | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25944 | 1 Deep-defaults Project | 1 Deep-defaults | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25943 | 1 101 Project | 1 101 | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25928 | 1 Manta | 1 Safe-obj | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25927 | 1 Safe-flat Project | 1 Safe-flat | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-20089 | 1 Purl Project | 1 Purl | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-20085 | 1 Backbone-query-parameters Project | 1 Backbone-query-parameters | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-20084 | 1 Jquery-sparkle Project | 1 Jquery-sparkle | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-sparkle 1.5.2-beta allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-25916 | 1 Patchmerge Project | 1 Patchmerge | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25913 | 1 Set-or-get Project | 1 Set-or-get | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-25912 | 1 Dotty Project | 1 Dotty | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23329 | 1 Getadigital | 1 Nested-object-assign | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below. | |||||
| CVE-2023-26139 | 1 Underscore-keypath Project | 1 Underscore-keypath | 2023-08-04 | N/A | 7.5 HIGH |
| Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”. | |||||
| CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2023-08-02 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | |||||
| CVE-2023-3186 | 1 Supsystic | 1 Popup | 2023-07-28 | N/A | 9.8 CRITICAL |
| The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. | |||||
| CVE-2022-21824 | 4 Debian, Netapp, Nodejs and 1 more | 11 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 8 more | 2022-07-30 | 6.4 MEDIUM | 8.2 HIGH |
| Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. | |||||
| CVE-2021-3645 | 1 Merge Project | 1 Merge | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3766 | 1 Objection Project | 1 Objection | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3805 | 1 Object-path Project | 1 Object-path | 2022-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3918 | 1 Json-schema Project | 1 Json-schema | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2022-2564 | 2022-07-29 | N/A | N/A | ||
| Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | |||||
| CVE-2020-7641 | 1 Grunt-util-property Project | 1 Grunt-util-property | 2022-07-25 | N/A | 7.8 HIGH |
| This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2021-23450 | 2 Linuxfoundation, Oracle | 3 Dojo, Communications Policy Management, Primavera Unifier | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | |||||
| CVE-2021-32736 | 1 Thinkjs | 1 Think-helper | 2022-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. The vulnerability is patched in version 1.1.3. | |||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | |||||
| CVE-2021-23597 | 1 Fastify | 1 Fastify-multipart | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). | |||||
| CVE-2021-40663 | 1 Deep.assign Project | 1 Deep.assign | 2022-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2022-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||