| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448. |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. |
| This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. |
| This affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js. |
| This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty. |
| This affects the package image-tiler before 2.0.2. |
| This affects all versions of package decal. The vulnerability is in the extend function. |
| This affects all versions of package decal. The vulnerability is in the set function. |
| This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array. |
| This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath) |
| The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js. |
| This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function. |
| This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. |
| All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. |
| This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: |
