Total
272 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28441 | 1 Conf-cfg-ini Project | 1 Conf-cfg-ini | 2023-12-10 | N/A | 9.8 CRITICAL |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2022-2625 | 3 Fedoraproject, Postgresql, Redhat | 3 Fedora, Postgresql, Enterprise Linux | 2023-12-10 | N/A | 8.0 HIGH |
| A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. | |||||
| CVE-2022-41879 | 1 Parseplatform | 1 Parse-server | 2023-12-10 | N/A | 9.8 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds. | |||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2023-12-10 | N/A | 9.8 CRITICAL |
| This affects the package properties-reader before 2.2.0. | |||||
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | |||||
| CVE-2022-37601 | 2 Debian, Webpack.js | 2 Debian Linux, Loader-utils | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js. | |||||
| CVE-2022-37266 | 1 Stealjs | 1 Steal | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | |||||
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | |||||
| CVE-2020-28461 | 1 Js-ini Project | 1 Js-ini | 2023-12-10 | N/A | 9.8 CRITICAL |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2023-12-10 | N/A | 9.8 CRITICAL |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | |||||
| CVE-2022-39357 | 1 Wintercms | 1 Winter | 2023-12-10 | N/A | 9.8 CRITICAL |
| Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts. | |||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | |||||
| CVE-2022-37617 | 1 Browserify-shim Project | 1 Browserify-shim | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js. | |||||
| CVE-2022-37602 | 1 Grunt-karma Project | 1 Grunt-karma | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | |||||
| CVE-2022-37616 | 2 Debian, Xmldom Project | 2 Debian Linux, Xmldom | 2023-12-10 | N/A | 9.8 CRITICAL |
| A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted." | |||||
| CVE-2022-39396 | 1 Parseplatform | 1 Parse-server | 2023-12-10 | N/A | 9.8 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds. | |||||
| CVE-2022-37611 | 1 Gh-pages Project | 1 Gh-pages | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js. | |||||
| CVE-2022-41713 | 1 Deep-object-diff Project | 1 Deep-object-diff | 2023-12-10 | N/A | 5.3 MEDIUM |
| deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited. | |||||
| CVE-2022-37621 | 1 Browserify-shim Project | 1 Browserify-shim | 2023-12-10 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | |||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2023-12-10 | N/A | 9.8 CRITICAL |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | |||||