Total
272 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-7699 | 2 Express-fileupload Project, Netapp | 2 Express-fileupload, Max Data | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. | |||||
CVE-2020-7727 | 1 Gedi Project | 1 Gedi | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package gedi are vulnerable to Prototype Pollution via the set function. | |||||
CVE-2020-7719 | 1 Locutus | 1 Locutus | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | |||||
CVE-2020-7679 | 1 Casperjs | 1 Casperjs | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. | |||||
CVE-2020-7638 | 1 Confinit Project | 1 Confinit | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
CVE-2019-0230 | 2 Apache, Oracle | 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | |||||
CVE-2020-7720 | 1 Digitalbazaar | 1 Forge | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | |||||
CVE-2020-12079 | 1 Beakerbrowser | 1 Beaker | 2023-12-10 | 7.5 HIGH | 10.0 CRITICAL |
Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API. | |||||
CVE-2020-7708 | 1 Irrelon | 2 \@irrelon\/path, Irrelon-path | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions. | |||||
CVE-2020-7724 | 1 Tiny-conf Project | 1 Tiny-conf | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function. | |||||
CVE-2020-7701 | 1 Springtree | 1 Madlib-object-utils | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | |||||
CVE-2020-7725 | 1 Guidesmiths | 1 Worksmith | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function. | |||||
CVE-2020-7721 | 1 Node-oojs Project | 1 Node-oojs | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function. | |||||
CVE-2020-7717 | 1 Dot-notes Project | 1 Dot-notes | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package dot-notes are vulnerable to Prototype Pollution via the create function. | |||||
CVE-2019-10808 | 1 Xcritical.software | 1 Utilitify | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. | |||||
CVE-2019-17315 | 1 Sugarcrm | 1 Sugarcrm | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. | |||||
CVE-2019-10768 | 1 Angularjs | 1 Angular.js | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | |||||
CVE-2019-19919 | 2 Handlebars.js Project, Tenable | 2 Handlebars.js, Tenable.sc | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. | |||||
CVE-2019-10806 | 1 Vega Project | 1 Vega | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype. | |||||
CVE-2019-17317 | 1 Sugarcrm | 1 Sugarcrm | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. |