Total
317 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20083 | 1 Jquery-plugin-query-object Project | 1 Jquery-plugin-query-object | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2020-7644 | 1 Fun-map Project | 1 Fun-map | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-5258 | 3 Debian, Linuxfoundation, Oracle | 10 Debian Linux, Dojo, Communications Application Session Controller and 7 more | 2023-11-07 | 5.0 MEDIUM | 7.7 HIGH |
| In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 | |||||
| CVE-2020-36618 | 1 Furqansofware | 1 Node Whois | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252. | |||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2023-11-07 | N/A | 8.1 HIGH |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||||
| CVE-2019-14379 | 7 Apple, Debian, Fasterxml and 4 more | 25 Xcode, Debian Linux, Jackson-databind and 22 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | |||||
| CVE-2019-10808 | 1 Xcritical.software | 1 Utilitify | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2019-10768 | 1 Angularjs | 1 Angular.js | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | |||||
| CVE-2019-0230 | 2 Apache, Oracle | 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | |||||
| CVE-2018-19296 | 4 Debian, Fedoraproject, Phpmailer Project and 1 more | 4 Debian Linux, Fedora, Phpmailer and 1 more | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | |||||
| CVE-2023-45282 | 1 Nasa | 1 Openmct | 2023-11-02 | N/A | 7.5 HIGH |
| In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. | |||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2023-10-25 | N/A | 7.8 HIGH |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | |||||
| CVE-2022-25645 | 1 Dset Project | 1 Dset | 2023-09-12 | 6.8 MEDIUM | 8.1 HIGH |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | |||||
| CVE-2022-24999 | 3 Debian, Openjsf, Qs Project | 3 Debian Linux, Express, Qs | 2023-09-08 | N/A | 7.5 HIGH |
| qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | |||||
| CVE-2023-30533 | 1 Sheetjs | 1 Sheetjs | 2023-09-07 | N/A | 7.8 HIGH |
| SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected. | |||||
| CVE-2023-38894 | 1 Tree Kit Project | 1 Tree Kit | 2023-08-24 | N/A | 9.8 CRITICAL |
| A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. | |||||
| CVE-2021-26505 | 1 Hello.js Project | 1 Hello.js | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | |||||
| CVE-2023-2972 | 1 Antfu | 1 Utils | 2023-08-16 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | |||||
| CVE-2021-20085 | 1 Backbone-query-parameters Project | 1 Backbone-query-parameters | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2021-20086 | 1 Jquery-bbq Project | 1 Jquery-bbq | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype. | |||||