Total
272 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26505 | 1 Hello.js Project | 1 Hello.js | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | |||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2023-12-10 | N/A | 9.8 CRITICAL |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | |||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2023-12-10 | N/A | 7.8 HIGH |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | |||||
| CVE-2023-28103 | 1 Matrix-react-sdk Project | 1 Matrix-react-sdk | 2023-12-10 | N/A | 8.2 HIGH |
| matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue. | |||||
| CVE-2023-30533 | 1 Sheetjs | 1 Sheetjs | 2023-12-10 | N/A | 7.8 HIGH |
| SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected. | |||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2023-12-10 | N/A | 10.0 CRITICAL |
| All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). | |||||
| CVE-2023-26132 | 1 Dottie Project | 1 Dottie | 2023-12-10 | N/A | 7.5 HIGH |
| Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file. | |||||
| CVE-2023-30363 | 1 Tencent | 1 Vconsole | 2023-12-10 | N/A | 9.8 CRITICAL |
| vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts. | |||||
| CVE-2023-26133 | 1 Progressbar.js Project | 1 Progressbar.js | 2023-12-10 | N/A | 9.8 CRITICAL |
| All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js. | |||||
| CVE-2023-26121 | 1 Safe-eval Project | 1 Safe-eval | 2023-12-10 | N/A | 10.0 CRITICAL |
| All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. | |||||
| CVE-2023-36475 | 1 Parseplatform | 1 Parse-server | 2023-12-10 | N/A | 9.8 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1. | |||||
| CVE-2022-36059 | 1 Matrix | 1 Javascript Sdk | 2023-12-10 | N/A | 5.3 MEDIUM |
| matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible. | |||||
| CVE-2023-26113 | 1 Collection.js Project | 1 Collection.js | 2023-12-10 | N/A | 7.5 HIGH |
| Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js. | |||||
| CVE-2023-30857 | 1 Aedart | 1 Ion | 2023-12-10 | N/A | 3.7 LOW |
| @aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`. | |||||
| CVE-2023-2582 | 1 Strikingly | 1 Strikingly | 2023-12-10 | N/A | 6.1 MEDIUM |
| A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser. | |||||
| CVE-2023-2972 | 1 Antfu | 1 Utils | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | |||||
| CVE-2022-36060 | 1 Matrix | 1 React Sdk | 2023-12-10 | N/A | 5.3 MEDIUM |
| matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-24999 | 3 Debian, Openjsf, Qs Project | 3 Debian Linux, Express, Qs | 2023-12-10 | N/A | 7.5 HIGH |
| qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | |||||
| CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2023-12-10 | N/A | 7.5 HIGH |
| All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function. | |||||
| CVE-2022-1802 | 2 Google, Mozilla | 4 Android, Firefox, Firefox Esr and 1 more | 2023-12-10 | N/A | 8.8 HIGH |
| If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. | |||||