Total
382 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0432 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | 6.1 Medium |
| Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | ||||
| CVE-2021-4279 | 1 Starcounter-jack | 1 Json-patch | 2024-11-21 | 6.3 Medium |
| A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability. | ||||
| CVE-2021-4278 | 1 Tree Kit Project | 1 Tree Kit | 2024-11-21 | 5.5 Medium |
| A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability. | ||||
| CVE-2021-4264 | 1 Linkedin | 1 Dustjs | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464. | ||||
| CVE-2021-4245 | 1 Rfc6902 Project | 1 Rfc6902 | 2024-11-21 | 5.5 Medium |
| A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883. | ||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2024-11-21 | 9.8 Critical |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | ||||
| CVE-2021-44906 | 2 Redhat, Substack | 12 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 9 more | 2024-11-21 | 9.8 Critical |
| Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 6.1 Medium |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | ||||
| CVE-2021-43787 | 1 Nodebb | 1 Nodebb | 2024-11-21 | 9 Critical |
| Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | ||||
| CVE-2021-43138 | 3 Async Project, Fedoraproject, Redhat | 4 Async, Fedora, Rhmt and 1 more | 2024-11-21 | 7.8 High |
| In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | ||||
| CVE-2021-42581 | 2 Ramdajs, Redhat | 2 Ramda, Ceph Storage | 2024-11-21 | 9.1 Critical |
| Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes | ||||
| CVE-2021-41097 | 1 Bluespire | 1 Aurelia-path | 2024-11-21 | 9.1 Critical |
| aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`. | ||||
| CVE-2021-40663 | 1 Deep.assign Project | 1 Deep.assign | 2024-11-21 | 9.8 Critical |
| deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | ||||
| CVE-2021-3815 | 1 Utils.js Project | 1 Utils.js | 2024-11-21 | 9.8 Critical |
| utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-3805 | 3 Debian, Object-path Project, Redhat | 3 Debian Linux, Object-path, Acm | 2024-11-21 | 7.5 High |
| object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-3766 | 1 Objection Project | 1 Objection | 2024-11-21 | 9.8 Critical |
| objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-3757 | 2 Immer Project, Redhat | 2 Immer, Rhmt | 2024-11-21 | 9.8 Critical |
| immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-3666 | 1 Xml Body Parser Project | 1 Xml Body Parser | 2024-11-21 | 9.8 Critical |
| body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-3645 | 1 Merge Project | 1 Merge | 2024-11-21 | 9.8 Critical |
| merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||||
| CVE-2021-39227 | 1 Baidu | 1 Zrender | 2024-11-21 | 6.2 Medium |
| ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts. | ||||