Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2020-7598 | 2 Opensuse, Substack | 2 Leap, Minimist | 2022-04-22 | 6.8 MEDIUM | 5.6 MEDIUM |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | |||||
| CVE-2022-21803 | 1 Nconf Project | 1 Nconf | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | |||||
| CVE-2022-23395 | 1 Jquery.cookie Project | 1 Jquery.cookie | 2022-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | |||||
| CVE-2022-1295 | 1 Fullpage Project | 1 Fullpage | 2022-04-15 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. | |||||
| CVE-2022-24802 | 1 Deepmerge-ts Project | 1 Deepmerge-ts | 2022-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue. | |||||
| CVE-2020-7751 | 1 Chaijis | 1 Pathval | 2022-04-08 | 6.5 MEDIUM | 7.2 HIGH |
| pathval before version 1.1.1 is vulnerable to prototype pollution. | |||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | |||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | |||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2022-03-24 | 7.5 HIGH | 7.3 HIGH |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | |||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | |||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | |||||
| CVE-2021-23771 | 2 Argencoders-notevil Project, Notevil Project | 2 Argencoders-notevil, Notevil | 2022-03-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | |||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2022-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | |||||
| CVE-2021-23470 | 1 Putil-merge Project | 1 Putil-merge | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 | |||||
| CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2022-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||||