Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32476 | 1 Moodle | 1 Moodle | 2022-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2020-7638 | 1 Confinit Project | 1 Confinit | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-7637 | 1 Class-transformer Project | 1 Class-transformer | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | |||||
| CVE-2019-10808 | 1 Xcritical.software | 1 Utilitify | 2022-12-02 | 6.5 MEDIUM | 8.8 HIGH |
| utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2020-7679 | 1 Casperjs | 1 Casperjs | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. | |||||
| CVE-2020-11066 | 1 Typo3 | 1 Typo3 | 2022-12-02 | 6.4 MEDIUM | 10.0 CRITICAL |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. | |||||
| CVE-2020-7644 | 1 Fun-map Project | 1 Fun-map | 2022-12-02 | 6.8 MEDIUM | 8.1 HIGH |
| fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-12079 | 1 Beakerbrowser | 1 Beaker | 2022-12-02 | 7.5 HIGH | 10.0 CRITICAL |
| Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API. | |||||
| CVE-2020-7618 | 1 Sds Project | 1 Sds | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'. | |||||
| CVE-2020-7616 | 1 Express-mock-middleware Project | 1 Express-mock-middleware | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | |||||
| CVE-2020-7639 | 1 Dot Project | 1 Dot | 2022-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-7706 | 1 Connie-lang Project | 1 Connie-lang | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie. | |||||
| CVE-2020-7704 | 1 Linux-cmdline Project | 1 Linux-cmdline | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor. | |||||
| CVE-2020-7703 | 1 Nis-utils Project | 1 Nis-utils | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. | |||||
| CVE-2020-7702 | 1 Templ8 Project | 1 Templ8 | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | |||||
| CVE-2020-7701 | 1 Springtree | 1 Madlib-object-utils | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | |||||
| CVE-2020-7700 | 1 Php.js Project | 1 Php.js | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of phpjs are vulnerable to Prototype Pollution via parse_str. | |||||
| CVE-2020-7699 | 2 Express-fileupload Project, Netapp | 2 Express-fileupload, Max Data | 2022-12-02 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. | |||||
| CVE-2020-15366 | 1 Ajv.js | 1 Ajv | 2022-12-02 | 6.8 MEDIUM | 5.6 MEDIUM |
| An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | |||||