Total
208 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | |||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2022-03-23 | 7.5 HIGH | 7.3 HIGH |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | |||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | |||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | |||||
| CVE-2021-23771 | 2 Argencoders-notevil Project, Notevil Project | 2 Argencoders-notevil, Notevil | 2022-03-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2021-23702 | 1 Object-extend Project | 1 Object-extend | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | |||||
| CVE-2021-23682 | 2 Appwrite, Litespeed.js Project | 2 Appwrite, Litespeed.js | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. | |||||
| CVE-2022-23631 | 1 Blitzjs | 1 Superjson | 2022-02-15 | 7.5 HIGH | 9.8 CRITICAL |
| superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2021-23497 | 1 Set Project | 1 Set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23507 | 1 Skratchdot | 1 Object-path-set | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908 | |||||
| CVE-2021-23470 | 1 Putil-merge Project | 1 Putil-merge | 2022-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 | |||||
| CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2022-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||||
| CVE-2021-23760 | 1 Keyget Project | 1 Keyget | 2022-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-28272](https://security.snyk.io/vuln/SNYK-JS-KEYGET-1048048) | |||||
| CVE-2021-23558 | 1 Bmoor Project | 1 Bmoor | 2022-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664) | |||||
| CVE-2021-23460 | 1 Camunda | 1 Min-dash | 2022-01-26 | 5.0 MEDIUM | 7.5 HIGH |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | |||||
| CVE-2021-23568 | 1 Eggjs | 1 Extend2 | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. | |||||
| CVE-2021-23594 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 10.0 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-23543 | 1 Agoric | 1 Realms-shim | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | |||||
| CVE-2021-43852 | 1 Oroinc | 1 Oroplatform | 2022-01-12 | 6.8 MEDIUM | 8.8 HIGH |
| OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue. | |||||