Total
344 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-3721 | 3 Lodash, Netapp, Redhat | 4 Lodash, Active Iq Unified Manager, System Manager and 1 more | 2024-09-16 | 6.5 Medium |
| lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. | ||||
| CVE-2021-23373 | 1 Set-deep-prop Project | 1 Set-deep-prop | 2024-09-16 | 7.5 High |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2020-7718 | 1 Gammautils Project | 1 Gammautils | 2024-09-16 | 9.8 Critical |
| All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions. | ||||
| CVE-2021-23442 | 1 Cookiex-deep Project | 1 Cookiex-deep | 2024-09-16 | 8.6 High |
| This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. | ||||
| CVE-2020-7766 | 1 Json-ptr Project | 1 Json-ptr | 2024-09-16 | 7.3 High |
| This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution. | ||||
| CVE-2020-7707 | 1 Property-expr Project | 1 Property-expr | 2024-09-16 | 9.8 Critical |
| The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. | ||||
| CVE-2021-23700 | 1 Merge-deep2 Project | 1 Merge-deep2 | 2024-09-16 | 6.5 Medium |
| All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function. | ||||
| CVE-2021-23417 | 1 Deepmergefn Project | 1 Deepmergefn | 2024-09-16 | 5.6 Medium |
| All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. | ||||
| CVE-2020-7715 | 1 Deep-get-set Project | 1 Deep-get-set | 2024-09-16 | 9.8 Critical |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function. | ||||
| CVE-2020-7708 | 1 Irrelon | 2 \@irrelon\/path, Irrelon-path | 2024-09-16 | 9.8 Critical |
| The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions. | ||||
| CVE-2021-23450 | 3 Debian, Linuxfoundation, Oracle | 5 Debian Linux, Dojo, Communications Policy Management and 2 more | 2024-09-16 | 7.5 High |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | ||||
| CVE-2020-7709 | 1 Smallpdf | 1 Json-pointer | 2024-09-16 | 6 Medium |
| This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported. | ||||
| CVE-2020-7702 | 1 Templ8 Project | 1 Templ8 | 2024-09-16 | 9.8 Critical |
| All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | ||||
| CVE-2020-7770 | 1 Json8 Project | 1 Json8 | 2024-09-16 | 6.5 Medium |
| This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution. | ||||
| CVE-2020-7714 | 1 Realseriousgames | 1 Confucious | 2024-09-16 | 9.8 Critical |
| All versions of package confucious are vulnerable to Prototype Pollution via the set function. | ||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2024-09-16 | 7.5 High |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | ||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2024-09-16 | 7.3 High |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | ||||
| CVE-2021-23574 | 1 Js-data | 1 Js-data | 2024-09-16 | 7.5 High |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655). | ||||
| CVE-2020-7774 | 4 Oracle, Redhat, Siemens and 1 more | 7 Graalvm, Enterprise Linux, Openshift and 4 more | 2024-09-16 | 7.3 High |
| The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2024-09-16 | 7.3 High |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | ||||