Total
272 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-25944 | 1 Deep-defaults Project | 1 Deep-defaults | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
CVE-2021-3757 | 1 Immer Project | 1 Immer | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | |||||
CVE-2021-32807 | 1 Zope | 1 Accesscontrol | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope. | |||||
CVE-2021-20087 | 1 Acemetrix | 1 Jquery-deparam | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. | |||||
CVE-2021-3766 | 1 Objection Project | 1 Objection | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
CVE-2021-26707 | 2 Merge-deep Project, Netapp | 2 Merge-deep, E-series Performance Analyzer | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library. | |||||
CVE-2021-20086 | 1 Jquery-bbq Project | 1 Jquery-bbq | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype. | |||||
CVE-2021-25941 | 1 Deep-override Project | 1 Deep-override | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
CVE-2020-7737 | 1 Safetydance Project | 1 Safetydance | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package safetydance are vulnerable to Prototype Pollution via the set function. | |||||
CVE-2021-23329 | 1 Getadigital | 1 Nested-object-assign | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below. | |||||
CVE-2020-28268 | 1 Controlled-merge Project | 1 Controlled-merge | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
CVE-2020-28460 | 1 Multi-ini Project | 1 Multi-ini | 2023-12-10 | 7.5 HIGH | 8.1 HIGH |
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448. | |||||
CVE-2020-7766 | 1 Json-ptr Project | 1 Json-ptr | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution. | |||||
CVE-2020-7768 | 1 Grpc | 1 Grpc | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. | |||||
CVE-2020-8158 | 1 Typeorm | 1 Typeorm | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. | |||||
CVE-2020-28458 | 1 Datatables | 1 Datatables.net | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | |||||
CVE-2020-7774 | 3 Oracle, Siemens, Y18n Project | 3 Graalvm, Sinec Infrastructure Network Services, Y18n | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | |||||
CVE-2020-7746 | 1 Chartjs | 1 Chart.js | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. | |||||
CVE-2021-27582 | 1 Mitreid | 1 Connect | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest. |