Total
208 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36632 | 1 Flat Project | 1 Flat | 2023-01-04 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability. | |||||
| CVE-2022-2200 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-03 | N/A | 8.8 HIGH |
| If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. | |||||
| CVE-2022-25904 | 1 Safe-eval Project | 1 Safe-eval | 2022-12-29 | N/A | 9.8 CRITICAL |
| All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. | |||||
| CVE-2020-36618 | 1 Furqansofware | 1 Node Whois | 2022-12-29 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252. | |||||
| CVE-2022-1529 | 2 Google, Mozilla | 4 Android, Firefox, Firefox Esr and 1 more | 2022-12-29 | N/A | 8.8 HIGH |
| An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. | |||||
| CVE-2022-1802 | 2 Google, Mozilla | 4 Android, Firefox, Firefox Esr and 1 more | 2022-12-29 | N/A | 8.8 HIGH |
| If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. | |||||
| CVE-2021-4264 | 1 Linkedin | 1 Dustjs | 2022-12-28 | N/A | 8.8 HIGH |
| A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464. | |||||
| CVE-2021-4245 | 1 Rfc6902 Project | 1 Rfc6902 | 2022-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883. | |||||
| CVE-2022-37598 | 1 Uglifyjs Project | 1 Uglifyjs | 2022-12-02 | N/A | 9.8 CRITICAL |
| ** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. | |||||
| CVE-2022-2625 | 3 Fedoraproject, Postgresql, Redhat | 3 Fedora, Postgresql, Enterprise Linux | 2022-12-02 | N/A | 8.0 HIGH |
| A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. | |||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | |||||
| CVE-2020-7637 | 1 Class-transformer Project | 1 Class-transformer | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2019-10808 | 1 Xcritical.software | 1 Utilitify | 2022-12-02 | 6.5 MEDIUM | 8.8 HIGH |
| utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2020-7638 | 1 Confinit Project | 1 Confinit | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-7616 | 1 Express-mock-middleware Project | 1 Express-mock-middleware | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | |||||
| CVE-2020-7639 | 1 Dot Project | 1 Dot | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-11066 | 1 Typo3 | 1 Typo3 | 2022-12-02 | 6.4 MEDIUM | 10.0 CRITICAL |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-12079 | 1 Beakerbrowser | 1 Beaker | 2022-12-02 | 7.5 HIGH | 10.0 CRITICAL |
| Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API. | |||||
| CVE-2020-7644 | 1 Fun-map Project | 1 Fun-map | 2022-12-02 | 6.8 MEDIUM | 8.1 HIGH |
| fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-7679 | 1 Casperjs | 1 Casperjs | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. | |||||