Total
391 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-37601 | 3 Debian, Redhat, Webpack.js | 4 Debian Linux, Logging, Migration Toolkit Applications and 1 more | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. | ||||
| CVE-2022-37598 | 1 Uglifyjs Project | 1 Uglifyjs | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. | ||||
| CVE-2022-37266 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | ||||
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | ||||
| CVE-2022-37258 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | ||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | ||||
| CVE-2022-2625 | 3 Fedoraproject, Postgresql, Redhat | 8 Fedora, Postgresql, Enterprise Linux and 5 more | 2024-11-21 | 8.0 High |
| A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. | ||||
| CVE-2022-2564 | 1 Mongoosejs | 1 Mongoose | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | ||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2024-11-21 | 9.8 Critical |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | ||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2024-11-21 | 7.5 High |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | ||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2024-11-21 | 8.2 High |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | ||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.9 Medium |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | ||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2024-11-21 | 4 Medium |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | ||||
| CVE-2022-25645 | 2 Dset Project, Redhat | 2 Dset, Acm | 2024-11-21 | 6.5 Medium |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | ||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2024-11-21 | 8.6 High |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | ||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2024-11-21 | 7.5 High |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | ||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2024-11-21 | 7.5 High |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | ||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2024-11-21 | 7.7 High |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | ||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 6.3 Medium |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | ||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2024-11-21 | 7.5 High |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | ||||