Total
208 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-37602 | 1 Grunt-karma Project | 1 Grunt-karma | 2022-10-14 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | |||||
| CVE-2022-37611 | 1 Gh-pages Project | 1 Gh-pages | 2022-10-14 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js. | |||||
| CVE-2022-37614 | 1 Mockery Project | 1 Mockery | 2022-10-14 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js. | |||||
| CVE-2022-37609 | 1 Js-beautify Project | 1 Js-beautify | 2022-10-13 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js. | |||||
| CVE-2022-37617 | 1 Browserify-shim Project | 1 Browserify-shim | 2022-10-13 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js. | |||||
| CVE-2021-41097 | 1 Bluespire | 1 Aurelia-path | 2022-09-29 | 5.0 MEDIUM | 7.5 HIGH |
| aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`. | |||||
| CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2022-09-28 | N/A | 6.1 MEDIUM |
| The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | |||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2022-09-26 | N/A | 8.1 HIGH |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||||
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2022-09-22 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | |||||
| CVE-2022-37258 | 1 Stealjs | 1 Steal | 2022-09-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | |||||
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | |||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | |||||
| CVE-2022-37266 | 1 Stealjs | 1 Steal | 2022-09-19 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | |||||
| CVE-2021-3757 | 1 Immer Project | 1 Immer | 2022-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-39227 | 1 Baidu | 1 Zrender | 2022-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts. | |||||
| CVE-2021-39205 | 1 8x8 | 1 Jitsi Meet | 2022-09-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-40663 | 1 Deep.assign Project | 1 Deep.assign | 2022-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | |||||
| CVE-2020-28458 | 1 Datatables | 1 Datatables.net | 2022-08-15 | 7.5 HIGH | 7.3 HIGH |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | |||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2022-08-12 | N/A | 9.8 CRITICAL |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | |||||
| CVE-2020-8116 | 1 Dot-prop Project | 1 Dot-prop | 2022-08-05 | 7.5 HIGH | 7.3 HIGH |
| Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | |||||