Total
317 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25915 | 1 Changeset Project | 1 Changeset | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2021-23421 | 1 Merge-change Project | 1 Merge-change | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function. | |||||
| CVE-2021-23449 | 1 Vm2 Project | 1 Vm2 | 2022-06-28 | 7.5 HIGH | 10.0 CRITICAL |
| This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | |||||
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | |||||
| CVE-2021-25949 | 1 Set-getter Project | 1 Set-getter | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-7617 | 1 Ini-parser Project | 1 Ini-parser | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload. | |||||
| CVE-2021-23433 | 1 Algolia | 1 Algoliasearch-helper | 2022-06-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. | |||||
| CVE-2021-25945 | 1 Js-extend Project | 1 Js-extend | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23448 | 1 Config-handler Project | 1 Config-handler | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | |||||
| CVE-2021-25948 | 1 Expand-hash Project | 1 Expand-hash | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-7792 | 1 Moutjs | 1 Mout | 2022-06-28 | 7.5 HIGH | 7.5 HIGH |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution. | |||||
| CVE-2020-7771 | 1 Asciitable.js Project | 1 Asciitable.js | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |||||
| CVE-2021-25952 | 1 Just-safe-set Project | 1 Just-safe-set | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2021-23417 | 1 Deepmergefn Project | 1 Deepmergefn | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. | |||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2022-06-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | |||||
| CVE-2019-19919 | 2 Handlebars.js Project, Tenable | 2 Handlebars.js, Tenable.sc | 2022-06-03 | 7.5 HIGH | 9.8 CRITICAL |
| Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. | |||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | |||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | |||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2022-05-17 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | |||||