Search
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2022-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||
| CVE-2022-24760 | 3 Canonical, Microsoft, Parseplatform | 3 Ubuntu Linux, Windows, Parse-server | 2022-07-01 | 7.5 HIGH | 10.0 CRITICAL |
| Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. | |||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-21213 | 1 Moutjs | 1 Mout | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | |||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2022-06-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | |||||
| CVE-2019-19919 | 2 Handlebars.js Project, Tenable | 2 Handlebars.js, Tenable.sc | 2022-06-03 | 7.5 HIGH | 9.8 CRITICAL |
| Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. | |||||
| CVE-2021-42581 | 1 Ramdajs | 1 Ramda | 2022-06-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes. | |||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | |||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | |||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2022-05-17 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | |||||
| CVE-2021-43138 | 1 Async Project | 1 Async | 2022-05-13 | 6.8 MEDIUM | 7.8 HIGH |
| In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | |||||
| CVE-2020-8203 | 2 Lodash, Oracle | 18 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 15 more | 2022-05-12 | 5.8 MEDIUM | 7.4 HIGH |
| Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | |||||
| CVE-2022-22143 | 1 Mozilla | 1 Convict | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | |||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | |||||
| CVE-2022-25645 | 1 Dset Project | 1 Dset | 2022-05-11 | 6.8 MEDIUM | 8.1 HIGH |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | |||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | |||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | |||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2022-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | |||||
| CVE-2021-23470 | 1 Putil-merge Project | 1 Putil-merge | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 | |||||
| CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2022-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||||
| CVE-2021-23760 | 1 Keyget Project | 1 Keyget | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-28272](https://security.snyk.io/vuln/SNYK-JS-KEYGET-1048048) | |||||
| CVE-2021-23558 | 1 Bmoor Project | 1 Bmoor | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664) | |||||
| CVE-2021-23518 | 1 Cached-path-relative Project | 1 Cached-path-relative | 2022-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 | |||||
| CVE-2021-23460 | 1 Camunda | 1 Min-dash | 2022-01-26 | 5.0 MEDIUM | 7.5 HIGH |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | |||||
| CVE-2021-23568 | 1 Eggjs | 1 Extend2 | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. | |||||
| CVE-2021-23594 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 10.0 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-23543 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-43852 | 1 Oroinc | 1 Oroplatform | 2022-01-12 | 6.8 MEDIUM | 8.8 HIGH |
| OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue. | |||||
| CVE-2021-23574 | 1 Js-data | 1 Js-data | 2022-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655). | |||||
| CVE-2020-28270 | 1 Mjpclab | 1 Object-hierarchy-access | 2022-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23663 | 1 Sey Project | 1 Sey | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function. | |||||
| CVE-2021-23700 | 1 Merge-deep2 Project | 1 Merge-deep2 | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function. | |||||
| CVE-2021-23561 | 1 C2fo | 1 Comb | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function. | |||||
| CVE-2021-28860 | 1 Adaltas | 1 Mixme | 2021-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). | |||||
| CVE-2021-3815 | 1 Utils.js Project | 1 Utils.js | 2021-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-23383 | 2 Handlebarsjs, Netapp | 2 Handlebars, E-series Performance Analyzer | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. | |||||
| CVE-2021-43787 | 1 Nodebb | 1 Nodebb | 2021-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | |||||