Total
317 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22143 | 1 Mozilla | 1 Convict | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | |||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | |||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | |||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2020-7598 | 2 Opensuse, Substack | 2 Leap, Minimist | 2022-04-22 | 6.8 MEDIUM | 5.6 MEDIUM |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | |||||
| CVE-2022-21803 | 1 Nconf Project | 1 Nconf | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | |||||
| CVE-2022-23395 | 1 Jquery.cookie Project | 1 Jquery.cookie | 2022-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | |||||
| CVE-2022-1295 | 1 Fullpage Project | 1 Fullpage | 2022-04-15 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. | |||||
| CVE-2022-24802 | 1 Deepmerge-ts Project | 1 Deepmerge-ts | 2022-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue. | |||||
| CVE-2020-7751 | 1 Chaijis | 1 Pathval | 2022-04-08 | 6.5 MEDIUM | 7.2 HIGH |
| pathval before version 1.1.1 is vulnerable to prototype pollution. | |||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | |||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | |||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2022-03-24 | 7.5 HIGH | 7.3 HIGH |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | |||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | |||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | |||||
| CVE-2021-23771 | 2 Argencoders-notevil Project, Notevil Project | 2 Argencoders-notevil, Notevil | 2022-03-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | |||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2022-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||