Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28462 | 1 Ion-parser Project | 1 Ion-parser | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28461 | 1 Js-ini Project | 1 Js-ini | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28441 | 1 Conf-cfg-ini Project | 1 Conf-cfg-ini | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2021-3645 | 1 Merge Project | 1 Merge | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3766 | 1 Objection Project | 1 Objection | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2020-7641 | 1 Grunt-util-property Project | 1 Grunt-util-property | 2022-07-25 | N/A | 7.8 HIGH |
| This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2021-32736 | 1 Thinkjs | 1 Think-helper | 2022-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. The vulnerability is patched in version 1.1.3. | |||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | |||||
| CVE-2021-23597 | 1 Fastify | 1 Fastify-multipart | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2022-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2022-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||
| CVE-2022-24760 | 3 Canonical, Microsoft, Parseplatform | 3 Ubuntu Linux, Windows, Parse-server | 2022-07-01 | 7.5 HIGH | 10.0 CRITICAL |
| Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. | |||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-21213 | 1 Moutjs | 1 Mout | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | |||||
| CVE-2020-7771 | 1 Asciitable.js Project | 1 Asciitable.js | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |||||
| CVE-2021-23449 | 1 Vm2 Project | 1 Vm2 | 2022-06-28 | 7.5 HIGH | 10.0 CRITICAL |
| This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | |||||
| CVE-2021-23421 | 1 Merge-change Project | 1 Merge-change | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function. | |||||
| CVE-2021-23433 | 1 Algolia | 1 Algoliasearch-helper | 2022-06-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. | |||||
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | |||||