Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25645 | 1 Dset Project | 1 Dset | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||
| CVE-2022-1295 | 1 Fullpage Project | 1 Fullpage | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. | |||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | |||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | |||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | |||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | |||||
| CVE-2021-44906 | 1 Substack | 1 Minimist | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | |||||
| CVE-2022-24802 | 1 Deepmerge-ts Project | 1 Deepmerge-ts | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue. | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | |||||
| CVE-2022-23624 | 1 Frourio | 1 Frourio-express | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | |||||
| CVE-2021-23700 | 1 Merge-deep2 Project | 1 Merge-deep2 | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function. | |||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-43787 | 1 Nodebb | 1 Nodebb | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | |||||