Total
344 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-7721 | 1 Node-oojs Project | 1 Node-oojs | 2024-09-16 | 9.8 Critical |
| All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function. | ||||
| CVE-2021-23663 | 1 Sey Project | 1 Sey | 2024-09-16 | 6.5 Medium |
| All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function. | ||||
| CVE-2021-23568 | 1 Eggjs | 1 Extend2 | 2024-09-16 | 7.3 High |
| The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. | ||||
| CVE-2020-7720 | 2 Digitalbazaar, Redhat | 3 Forge, Ansible Tower, Openshift Container Storage | 2024-09-16 | 9.8 Critical |
| The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | ||||
| CVE-2020-7727 | 1 Gedi Project | 1 Gedi | 2024-09-16 | 9.8 Critical |
| All versions of package gedi are vulnerable to Prototype Pollution via the set function. | ||||
| CVE-2021-23460 | 1 Camunda | 1 Min-dash | 2024-09-16 | 7.5 High |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | ||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2024-09-16 | 8.6 High |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | ||||
| CVE-2020-7723 | 1 Yola | 1 Promisehelpers | 2024-09-16 | 9.8 Critical |
| All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function. | ||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2024-09-16 | 7.3 High |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2021-23597 | 1 Fastify | 1 Fastify-multipart | 2024-09-16 | 7.5 High |
| This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). | ||||
| CVE-2022-21803 | 2 Nconf Project, Redhat | 2 Nconf, Acm | 2024-09-16 | 7.3 High |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | ||||
| CVE-2022-25904 | 1 Safe-eval Project | 1 Safe-eval | 2024-09-16 | 7.5 High |
| All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. | ||||
| CVE-2020-28462 | 1 Ion-parser Project | 1 Ion-parser | 2024-09-16 | 7.3 High |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | ||||
| CVE-2021-23329 | 1 Getadigital | 1 Nested-object-assign | 2024-09-16 | 7.5 High |
| The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below. | ||||
| CVE-2021-23448 | 1 Config-handler Project | 1 Config-handler | 2024-09-16 | 6.5 Medium |
| All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | ||||
| CVE-2020-7706 | 1 Connie-lang Project | 1 Connie-lang | 2024-09-16 | 9.8 Critical |
| The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie. | ||||
| CVE-2021-23558 | 1 Bmoor Project | 1 Bmoor | 2024-09-16 | 7.3 High |
| The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664) | ||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2024-09-13 | 8.2 High |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | ||||
| CVE-2022-3901 | 1 Visioglobe | 1 Visioweb | 2024-09-12 | 7.2 High |
| Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system. | ||||
| CVE-2024-21529 | 1 Dset Project | 1 Dset | 2024-09-11 | 8.2 High |
| Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. | ||||