Export limit exceeded: 351141 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (488 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-4307 | 1 Baobab Project | 1 Baobab | 2024-11-25 | 6.3 Medium |
| A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The patch is named c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627. | ||||
| CVE-2024-39012 | 2 Ais, Aisltd | 2 Strategyen, Strategyen | 2024-11-21 | 9.8 Critical |
| ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-39011 | 2 Chargeover, Redocly | 2 Redoc, Redoc | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. | ||||
| CVE-2024-39010 | 1 Chasemoskal | 1 Snapstate | 2024-11-21 | 9.8 Critical |
| chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38986 | 1 75lb | 1 Deep-merge | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects. | ||||
| CVE-2024-38984 | 1 Lukebond | 1 Json-override | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property. | ||||
| CVE-2024-38983 | 1 Alykoshin | 1 Mini-deep-assign | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91) | ||||
| CVE-2024-36572 | 1 Allpro | 2 Form-manager, Formmanager Data Handler | 2024-11-21 | 9.8 Critical |
| Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. | ||||
| CVE-2024-22443 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 7.2 High |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | ||||
| CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2024-11-21 | 7.1 High |
| Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | ||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2024-11-21 | 7.3 High |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | ||||
| CVE-2023-45282 | 1 Nasa | 1 Openmct | 2024-11-21 | 7.5 High |
| In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. | ||||
| CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | ||||
| CVE-2023-38894 | 1 Tree Kit Project | 1 Tree Kit | 2024-11-21 | 9.8 Critical |
| A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. | ||||
| CVE-2023-36665 | 1 Protobufjs Project | 1 Protobufjs | 2024-11-21 | 9.8 Critical |
| "protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. | ||||
| CVE-2023-26920 | 1 Naturalintelligence | 1 Fast Xml Parser | 2024-11-21 | 6.5 Medium |
| fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. | ||||
| CVE-2023-26158 | 1 Mockjs | 1 Mock.js | 2024-11-21 | 8.2 High |
| All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability. Workaround By using a denylist of dangerous attributes, this weakness can be eliminated. Add the following line in the Util.extend function: js js if (["__proto__", "constructor", "prototype"].includes(name)) continue js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone if (length === 1) { target = this i = 0 } for (; i < length; i++) { options = arguments[i] if (!options) continue for (name in options) { if (["__proto__", "constructor", "prototype"].includes(name)) continue src = target[name] copy = options[name] if (target === copy) continue if (copy === undefined) continue if (Util.isArray(copy) || Util.isObject(copy)) { if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : [] if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {} target[name] = Util.extend(clone, copy) } else { target[name] = copy } } } return target } | ||||
| CVE-2023-26139 | 1 Underscore-keypath Project | 1 Underscore-keypath | 2024-11-21 | 7.5 High |
| Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”. | ||||
| CVE-2023-26135 | 1 Flatnest Project | 1 Flatnest | 2024-11-21 | 7.3 High |
| All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file. | ||||
| CVE-2023-1717 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-21 | 9.6 Critical |
| Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`. | ||||