| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. |
| This affects the package properties-reader before 2.2.0. |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. |
| This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. |
| This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. |
| This affects the package s-cart/core before 4.4. The search functionality of the admin dashboard in core/src/Admin/Controllers/AdminOrderController.phpindex is vulnerable to XSS. |
| The package s-cart/core before 4.4 are vulnerable to Cross-site Scripting (XSS) via the admin panel. |
| This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. |
| This affects all versions of package decal. The vulnerability is in the extend function. |
| This affects all versions of package decal. The vulnerability is in the set function. |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. |
| This affects all versions of package google-cloudstorage-commands. |
| This affects all versions of package node-latex-pdf. |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) |
| All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId. |
| This affects all versions of package curljs. |