Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43787 | 1 Nodebb | 1 Nodebb | 2022-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | |||||
| CVE-2021-21304 | 1 Dynamoosejs | 1 Dynamoose | 2022-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability. | |||||
| CVE-2021-21368 | 1 Msgpack5 Project | 1 Msgpack5 | 2022-10-24 | 6.5 MEDIUM | 8.8 HIGH |
| msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value. An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types. There is no effect on the global prototype. This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced GitHub Security Advisory for an example and more details. | |||||
| CVE-2022-37609 | 1 Js-beautify Project | 1 Js-beautify | 2022-10-14 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js. | |||||
| CVE-2022-37617 | 1 Browserify-shim Project | 1 Browserify-shim | 2022-10-13 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js. | |||||
| CVE-2021-41097 | 1 Bluespire | 1 Aurelia-path | 2022-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`. | |||||
| CVE-2022-37258 | 1 Stealjs | 1 Steal | 2022-09-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | |||||
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | |||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | |||||
| CVE-2022-37266 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | |||||
| CVE-2021-3757 | 1 Immer Project | 1 Immer | 2022-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-39227 | 1 Baidu | 1 Zrender | 2022-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts. | |||||
| CVE-2021-39205 | 1 8x8 | 1 Jitsi Meet | 2022-09-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-40663 | 1 Deep.assign Project | 1 Deep.assign | 2022-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | |||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2022-08-12 | N/A | 9.8 CRITICAL |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | |||||
| CVE-2020-8116 | 1 Dot-prop Project | 1 Dot-prop | 2022-08-05 | 7.5 HIGH | 7.3 HIGH |
| Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | |||||
| CVE-2020-8158 | 1 Typeorm | 1 Typeorm | 2022-08-05 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. | |||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2022-08-01 | N/A | 9.8 CRITICAL |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | |||||
| CVE-2021-23373 | 1 Set-deep-prop Project | 1 Set-deep-prop | 2022-08-01 | N/A | 9.8 CRITICAL |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package properties-reader before 2.2.0. | |||||