CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 11 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-45815 | 0.00 | — | 0.00 | Sep 17, 2024 | Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed… | |||
| CVE-2024-45801 | 0.00 | — | 0.00 | Sep 16, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype… | |||
| CVE-2024-38986 | — | 0.00 | — | 0.00 | Jul 30, 2024 | Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects. | ||
| CVE-2024-38993 | — | 0.00 | — | 0.00 | Jul 1, 2024 | rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-38997 | — | 0.00 | — | 0.01 | Jul 1, 2024 | adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-39001 | 0.00 | — | 0.00 | Jul 1, 2024 | ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||
| CVE-2024-38994 | — | 0.00 | — | 0.00 | Jul 1, 2024 | amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-38996 | 0.00 | — | 0.00 | Jul 1, 2024 | ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||
| CVE-2024-34148 | 0.00 | — | 0.01 | May 2, 2024 | Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. | |||
| CVE-2024-21509 | — | 0.00 | — | 0.01 | Apr 10, 2024 | Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js. | ||
| CVE-2024-27307 | — | 0.00 | — | 0.01 | Mar 6, 2024 | JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote… | ||
| CVE-2024-23339 | 0.00 | — | 0.12 | Jan 22, 2024 | hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object… | |||
| CVE-2023-46308 | 0.00 | — | 0.00 | Jan 3, 2024 | In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||
| CVE-2023-26920 | — | 0.00 | — | 0.00 | Dec 12, 2023 | fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. | ||
| CVE-2023-26158 | — | 0.00 | — | 0.00 | Dec 8, 2023 | All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist… | ||
| CVE-2023-6293 | 0.00 | — | 0.00 | Nov 24, 2023 | Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | |||
| CVE-2023-45827 | 0.00 | — | 0.10 | Nov 6, 2023 | Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads… | |||
| CVE-2023-45811 | — | 0.00 | — | 0.00 | Oct 17, 2023 | Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer… | ||
| CVE-2023-45282 | — | 0.00 | — | 0.00 | Oct 6, 2023 | In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. | ||
| CVE-2023-38894 | — | 0.00 | — | 0.03 | Aug 16, 2023 | A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. |
- CVE-2024-45815Sep 17, 2024risk 0.00cvss —epss 0.00
Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed…
- CVE-2024-45801Sep 16, 2024risk 0.00cvss —epss 0.00
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype…
- CVE-2024-38986Jul 30, 2024risk 0.00cvss —epss 0.00
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
- CVE-2024-38993Jul 1, 2024risk 0.00cvss —epss 0.00
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38997Jul 1, 2024risk 0.00cvss —epss 0.01
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39001Jul 1, 2024risk 0.00cvss —epss 0.00
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38994Jul 1, 2024risk 0.00cvss —epss 0.00
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38996Jul 1, 2024risk 0.00cvss —epss 0.00
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-34148May 2, 2024risk 0.00cvss —epss 0.01
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'.
- CVE-2024-21509Apr 10, 2024risk 0.00cvss —epss 0.01
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
- CVE-2024-27307Mar 6, 2024risk 0.00cvss —epss 0.01
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote…
- CVE-2024-23339Jan 22, 2024risk 0.00cvss —epss 0.12
hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object…
- CVE-2023-46308Jan 3, 2024risk 0.00cvss —epss 0.00
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
- CVE-2023-26920Dec 12, 2023risk 0.00cvss —epss 0.00
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution.
- CVE-2023-26158Dec 8, 2023risk 0.00cvss —epss 0.00
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist…
- CVE-2023-6293Nov 24, 2023risk 0.00cvss —epss 0.00
Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.
- CVE-2023-45827Nov 6, 2023risk 0.00cvss —epss 0.10
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads…
- CVE-2023-45811Oct 17, 2023risk 0.00cvss —epss 0.00
Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer…
- CVE-2023-45282Oct 6, 2023risk 0.00cvss —epss 0.00
In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action.
- CVE-2023-38894Aug 16, 2023risk 0.00cvss —epss 0.03
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.