Total
272 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2024-02-14 | N/A | 6.1 MEDIUM |
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | |||||
CVE-2023-26135 | 1 Flatnest Project | 1 Flatnest | 2024-02-07 | N/A | 9.8 CRITICAL |
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file. | |||||
CVE-2023-32305 | 2 Aiven, Postgresql | 2 Aiven, Postgresql | 2024-02-01 | N/A | 8.8 HIGH |
aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged functions called by the aiven-extras extension. A low privileged user can create objects that collide with existing function names, which will then be executed instead. Exploiting this vulnerability could allow a low privileged user to acquire `superuser` privileges, which would allow full, unrestricted access to all data and database functions. And could lead to arbitrary code execution or data access on the underlying host as the `postgres` user. The issue has been patched as of version 1.1.9. | |||||
CVE-2024-23339 | 1 Elijahharry | 1 Hoolock | 2024-01-30 | N/A | 6.5 MEDIUM |
hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties. | |||||
CVE-2021-4245 | 1 Rfc6902 Project | 1 Rfc6902 | 2024-01-25 | N/A | 9.8 CRITICAL |
A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883. | |||||
CVE-2019-10744 | 5 F5, Lodash, Netapp and 2 more | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 18 more | 2024-01-21 | 6.4 MEDIUM | 9.1 CRITICAL |
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | |||||
CVE-2020-8203 | 2 Lodash, Oracle | 18 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 15 more | 2024-01-21 | 5.8 MEDIUM | 7.4 HIGH |
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | |||||
CVE-2023-39296 | 1 Qnap | 2 Qts, Quts Hero | 2024-01-11 | N/A | 7.5 HIGH |
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later | |||||
CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2024-01-09 | N/A | 9.8 CRITICAL |
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||||
CVE-2022-29823 | 1 Feathersjs | 1 Feathers-sequelize | 2024-01-02 | N/A | 9.8 CRITICAL |
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||||
CVE-2023-26920 | 1 Naturalintelligence | 1 Fast Xml Parser | 2023-12-14 | N/A | 6.5 MEDIUM |
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. | |||||
CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2023-12-10 | N/A | 7.1 HIGH |
Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | |||||
CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2023-12-10 | N/A | 9.8 CRITICAL |
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | |||||
CVE-2023-3965 | 1 Saleswizard | 1 Nsc | 2023-12-10 | N/A | 6.1 MEDIUM |
The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2023-3962 | 1 Myshopkit | 1 Winters | 2023-12-10 | N/A | 6.1 MEDIUM |
The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2023-38894 | 1 Tree Kit Project | 1 Tree Kit | 2023-12-10 | N/A | 9.8 CRITICAL |
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. | |||||
CVE-2023-1717 | 1 Bitrix24 | 1 Bitrix24 | 2023-12-10 | N/A | 9.6 CRITICAL |
Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`. | |||||
CVE-2023-26139 | 1 Underscore-keypath Project | 1 Underscore-keypath | 2023-12-10 | N/A | 7.5 HIGH |
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”. | |||||
CVE-2023-3933 | 1 Wiloke | 1 Your Journey | 2023-12-10 | N/A | 6.1 MEDIUM |
The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2023-45282 | 1 Nasa | 1 Openmct | 2023-12-10 | N/A | 7.5 HIGH |
In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. |