Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3901 | 1 Visioglobe | 1 Visioweb | 2024-09-12 | N/A | 6.1 MEDIUM |
| Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system. | |||||
| CVE-2024-45435 | 1 Chartist | 1 Chartist | 2024-09-03 | N/A | 9.8 CRITICAL |
| Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. | |||||
| CVE-2024-37287 | 1 Elastic | 1 Kibana | 2024-08-22 | N/A | 7.2 HIGH |
| A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. | |||||
| CVE-2024-36572 | 1 Allpro | 1 Formmanager Data Handler | 2024-08-08 | N/A | 9.8 CRITICAL |
| Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. | |||||
| CVE-2024-38984 | 1 Lukebond | 1 Json-override | 2024-08-08 | N/A | 9.8 CRITICAL |
| Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property. | |||||
| CVE-2024-38986 | 1 75lb | 1 Deep-merge | 2024-08-08 | N/A | 9.8 CRITICAL |
| Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects. | |||||
| CVE-2024-39010 | 1 Chasemoskal | 1 Snapstate | 2024-08-08 | N/A | 9.8 CRITICAL |
| chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39011 | 1 Chargeover | 1 Redoc | 2024-08-08 | N/A | 9.8 CRITICAL |
| Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. | |||||
| CVE-2024-38983 | 1 Alykoshin | 1 Mini-deep-assign | 2024-08-08 | N/A | 9.8 CRITICAL |
| Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91) | |||||
| CVE-2021-42581 | 1 Ramdajs | 1 Ramda | 2024-08-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes | |||||
| CVE-2022-37598 | 1 Uglifyjs Project | 1 Uglifyjs | 2024-08-03 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. | |||||
| CVE-2024-22443 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-08-01 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | |||||
| CVE-2023-36665 | 1 Protobufjs Project | 1 Protobufjs | 2024-06-28 | N/A | 9.8 CRITICAL |
| "protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. | |||||
| CVE-2021-43138 | 2 Async Project, Fedoraproject | 2 Async, Fedora | 2024-06-21 | 6.8 MEDIUM | 7.8 HIGH |
| In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | |||||
| CVE-2020-28458 | 1 Datatables | 1 Datatables.net | 2024-06-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | |||||
| CVE-2020-15366 | 1 Ajv.js | 1 Ajv | 2024-06-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | |||||
| CVE-2023-26136 | 1 Salesforce | 1 Tough-cookie | 2024-06-21 | N/A | 9.8 CRITICAL |
| Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. | |||||
| CVE-2021-44906 | 1 Substack | 1 Minimist | 2024-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | |||||
| CVE-2022-4742 | 1 Json-pointer Project | 1 Json-pointer | 2024-05-17 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. Upgrading to version 0.6.2 is able to address this issue. The patch is identified as 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to upgrade the affected component. VDB-216794 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-4278 | 1 Tree Kit Project | 1 Tree Kit | 2024-05-17 | N/A | 7.8 HIGH |
| A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability. | |||||