Total
208 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8158 | 1 Typeorm | 1 Typeorm | 2022-08-05 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. | |||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2022-08-01 | N/A | 9.8 CRITICAL |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | |||||
| CVE-2021-23373 | 1 Set-deep-prop Project | 1 Set-deep-prop | 2022-08-01 | N/A | 9.8 CRITICAL |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package properties-reader before 2.2.0. | |||||
| CVE-2020-28462 | 1 Ion-parser Project | 1 Ion-parser | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28461 | 1 Js-ini Project | 1 Js-ini | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28441 | 1 Conf-cfg-ini Project | 1 Conf-cfg-ini | 2022-08-01 | N/A | 9.8 CRITICAL |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2021-3645 | 1 Merge Project | 1 Merge | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3766 | 1 Objection Project | 1 Objection | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2020-7641 | 1 Grunt-util-property Project | 1 Grunt-util-property | 2022-07-25 | N/A | 7.8 HIGH |
| This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2021-32736 | 1 Thinkjs | 1 Think-helper | 2022-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. The vulnerability is patched in version 1.1.3. | |||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | |||||
| CVE-2021-23597 | 1 Fastify | 1 Fastify-multipart | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2022-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2022-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||
| CVE-2022-24760 | 3 Canonical, Microsoft, Parseplatform | 3 Ubuntu Linux, Windows, Parse-server | 2022-07-01 | 7.5 HIGH | 10.0 CRITICAL |
| Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. | |||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-21213 | 1 Moutjs | 1 Mout | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | |||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2022-06-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | |||||