Total
344 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-11358 | 11 Backdropcms, Debian, Drupal and 8 more | 114 Backdrop, Debian Linux, Drupal and 111 more | 2024-11-15 | 6.1 Medium |
| jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | ||||
| CVE-2024-45277 | 2 Sap, Sap Se | 2 Hana-client, Sap Hana Client | 2024-11-14 | 4.3 Medium |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | ||||
| CVE-2024-21528 | 2024-11-12 | 5.9 Medium | ||
| All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization. | ||||
| CVE-2024-48910 | 2 Cure53, Redhat | 2 Dompurify, Advanced Cluster Security | 2024-11-01 | 9.1 Critical |
| DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | ||||
| CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2024-10-30 | 9.8 Critical |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | ||||
| CVE-2022-37601 | 3 Debian, Redhat, Webpack.js | 4 Debian Linux, Logging, Migration Toolkit Applications and 1 more | 2024-10-28 | 9.8 Critical |
| Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. | ||||
| CVE-2024-39012 | 2 Ais, Aisltd | 2 Strategyen, Strategyen | 2024-10-22 | 9.8 Critical |
| ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2023-26139 | 1 Underscore-keypath Project | 1 Underscore-keypath | 2024-10-17 | 7.5 High |
| Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”. | ||||
| CVE-2021-26505 | 1 Hello.js Project | 1 Hello.js | 2024-10-09 | 9.8 Critical |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | ||||
| CVE-2023-38894 | 1 Tree Kit Project | 1 Tree Kit | 2024-10-08 | 9.8 Critical |
| A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. | ||||
| CVE-2024-21489 | 2 Leeoniya, Redhat | 4 Uplot, Rhel Aus, Rhel E4s and 1 more | 2024-10-07 | 8.2 High |
| Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype. | ||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-03 | 6.1 Medium |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | ||||
| CVE-2024-45815 | 1 Backstage | 1 Backstage | 2024-09-23 | 6.5 Medium |
| Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45282 | 1 Nasa | 1 Openmct | 2024-09-19 | 7.5 High |
| In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. | ||||
| CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2024-09-17 | 7.3 High |
| The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | ||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2024-09-17 | 7.7 High |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | ||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2024-09-17 | 7.5 High |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | ||||
| CVE-2020-7716 | 1 Invertase | 1 Deeps | 2024-09-17 | 9.8 Critical |
| All versions of package deeps are vulnerable to Prototype Pollution via the set function. | ||||
| CVE-2020-7641 | 1 Grunt-util-property Project | 1 Grunt-util-property | 2024-09-17 | 4 Medium |
| This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2024-09-17 | 7.6 High |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | ||||