ReportizFlow
Filtered by vendor
Subscriptions
Total
416 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2024-11-21 | 8.6 High |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | ||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2024-11-21 | 7.5 High |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | ||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2024-11-21 | 7.5 High |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | ||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2024-11-21 | 7.7 High |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | ||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 6.3 Medium |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | ||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2024-11-21 | 7.5 High |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | ||||
| CVE-2022-23631 | 1 Blitzjs | 2 Blitz, Superjson | 2024-11-21 | 9.1 Critical |
| superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-23395 | 1 Jquery.cookie Project | 1 Jquery.cookie | 2024-11-21 | 6.1 Medium |
| jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | ||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | ||||
| CVE-2022-22143 | 1 Mozilla | 1 Convict | 2024-11-21 | 7.5 High |
| The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | ||||
| CVE-2022-21803 | 2 Nconf Project, Redhat | 2 Nconf, Acm | 2024-11-21 | 7.3 High |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | ||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2024-11-21 | 7.5 High |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | ||||
| CVE-2022-21213 | 1 Moutjs | 1 Mout | 2024-11-21 | 7.5 High |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | ||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2024-11-21 | 7.5 High |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | ||||
| CVE-2022-21189 | 1 Dexie | 1 Dexie | 2024-11-21 | 7.3 High |
| The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input. | ||||
| CVE-2022-1295 | 1 Fullpage Project | 1 Fullpage | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. | ||||
| CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | 6.1 Medium |
| Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | ||||
| CVE-2021-4279 | 1 Starcounter-jack | 1 Json-patch | 2024-11-21 | 6.3 Medium |
| A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability. | ||||
| CVE-2021-4278 | 1 Tree Kit Project | 1 Tree Kit | 2024-11-21 | 5.5 Medium |
| A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability. | ||||
| CVE-2021-4264 | 1 Linkedin | 1 Dustjs | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464. | ||||