Total
344 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26132 | 1 Dottie Project | 1 Dottie | 2024-08-02 | 7.5 High |
| Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file. | ||||
| CVE-2023-26136 | 2 Redhat, Salesforce | 8 Acm, Jboss Enterprise Application Platform, Logging and 5 more | 2024-08-02 | 6.5 Medium |
| Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. | ||||
| CVE-2023-26158 | 1 Mockjs | 1 Mock.js | 2024-08-02 | 8.2 High |
| All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability. Workaround By using a denylist of dangerous attributes, this weakness can be eliminated. Add the following line in the Util.extend function: js js if (["__proto__", "constructor", "prototype"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i < length; i++) { options = arguments[i] if (!options) continue for (name in options) { if (["__proto__", "constructor", "prototype"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target } | ||||
| CVE-2023-26133 | 1 Progressbar.js Project | 1 Progressbar.js | 2024-08-02 | 8.2 High |
| All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js. | ||||
| CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2024-08-02 | 7.5 High |
| All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function. | ||||
| CVE-2023-26113 | 1 Collection.js Project | 1 Collection.js | 2024-08-02 | 7.5 High |
| Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js. | ||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2024-08-02 | 8.8 High |
| All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). | ||||
| CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2024-08-02 | 7.5 High |
| All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file. | ||||
| CVE-2023-23917 | 1 Rocket.chat | 1 Rocket.chat | 2024-08-02 | 8.8 High |
| A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well. | ||||
| CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2024-08-02 | 7.1 High |
| Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | ||||
| CVE-2023-3933 | 1 Wiloke | 1 Your Journey | 2024-08-02 | 6.1 Medium |
| The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-3965 | 1 Saleswizard | 1 Nsc | 2024-08-02 | 6.1 Medium |
| The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-3962 | 1 Myshopkit | 1 Winters | 2024-08-02 | 6.1 Medium |
| The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-2972 | 1 Antfu | 1 Utils | 2024-08-02 | 9.8 Critical |
| Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | ||||
| CVE-2023-2582 | 1 Strikingly | 1 Strikingly | 2024-08-02 | 6.1 Medium |
| A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser. | ||||
| CVE-2023-0842 | 1 Xml2js Project | 1 Xml2js | 2024-08-02 | 5.3 Medium |
| xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. | ||||
| CVE-2024-39853 | 2024-08-02 | 6.5 Medium | ||
| adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38996 | 1 Ag-grid | 2 Ag-grid-community, Ag-grid-enterprise | 2024-08-02 | 9.8 Critical |
| ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-39018 | 1 Harvey-woo | 1 Key-serializer | 2024-08-02 | 6.3 Medium |
| harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38999 | 1 Jrburke | 1 Requirejs | 2024-08-02 | 10 Critical |
| jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||