Total
208 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2023-03-10 | N/A | 7.5 HIGH |
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file. | |||||
CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2023-03-08 | N/A | 7.5 HIGH |
All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function. | |||||
CVE-2023-23917 | 1 Rocket.chat | 1 Rocket.chat | 2023-03-03 | N/A | 8.8 HIGH |
A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well. | |||||
CVE-2023-26102 | 1 Rangy Project | 1 Rangy | 2023-03-02 | N/A | 8.2 HIGH |
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype | |||||
CVE-2022-3901 | 1 Visioglobe | 1 Visioweb | 2023-03-02 | N/A | 6.1 MEDIUM |
Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system. | |||||
CVE-2022-29823 | 1 Featherjs | 1 Feathers-sequelize | 2023-02-28 | N/A | 9.8 CRITICAL |
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||||
CVE-2022-46175 | 2 Fedoraproject, Json5 | 2 Fedora, Json5 | 2023-02-28 | N/A | 8.8 HIGH |
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. | |||||
CVE-2022-37601 | 2 Debian, Webpack.js | 2 Debian Linux, Loader-utils | 2023-02-28 | N/A | 9.8 CRITICAL |
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js. | |||||
CVE-2021-43138 | 2 Async Project, Fedoraproject | 2 Async, Fedora | 2023-02-23 | 6.8 MEDIUM | 7.8 HIGH |
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | |||||
CVE-2022-24999 | 3 Debian, Openjsf, Qs Project | 3 Debian Linux, Express, Qs | 2023-02-16 | N/A | 7.5 HIGH |
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | |||||
CVE-2022-37616 | 2 Debian, Xmldom Project | 2 Debian Linux, Xmldom | 2023-02-10 | N/A | 9.8 CRITICAL |
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted." | |||||
CVE-2021-42581 | 1 Ramdajs | 1 Ramda | 2023-02-09 | 6.4 MEDIUM | 9.1 CRITICAL |
** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes. | |||||
CVE-2021-4279 | 1 Starcounter-jack | 1 Json-patch | 2023-02-07 | N/A | 9.8 CRITICAL |
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability. | |||||
CVE-2021-23518 | 2 Cached-path-relative Project, Debian | 2 Cached-path-relative, Debian Linux | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 | |||||
CVE-2021-3918 | 2 Debian, Json-schema Project | 2 Debian Linux, Json-schema | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
CVE-2021-23450 | 3 Debian, Linuxfoundation, Oracle | 5 Debian Linux, Dojo, Communications Policy Management and 2 more | 2023-01-30 | 7.5 HIGH | 9.8 CRITICAL |
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | |||||
CVE-2021-3805 | 2 Debian, Object-path Project | 2 Debian Linux, Object-path | 2023-01-30 | 5.0 MEDIUM | 7.5 HIGH |
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
CVE-2021-4307 | 1 Baobab Project | 1 Baobab | 2023-01-12 | N/A | 9.8 CRITICAL |
A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The name of the patch is c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627. | |||||
CVE-2022-4742 | 1 Json-pointer Project | 1 Json-pointer | 2023-01-04 | N/A | 9.8 CRITICAL |
A vulnerability, which was classified as critical, has been found in json-pointer. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The name of the patch is 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to apply a patch to fix this issue. VDB-216794 is the identifier assigned to this vulnerability. | |||||
CVE-2021-4278 | 1 Tree Kit Project | 1 Tree Kit | 2023-01-04 | N/A | 7.8 HIGH |
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability. |