CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 14 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-37621 | — | 0.00 | — | 0.01 | Oct 28, 2022 | Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | ||
| CVE-2022-39357 | 0.00 | — | 0.01 | Oct 26, 2022 | Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not… | |||
| CVE-2022-29823 | 0.00 | — | 0.04 | Oct 25, 2022 | Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||
| CVE-2022-37602 | — | 0.00 | — | 0.01 | Oct 14, 2022 | Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | ||
| CVE-2022-37614 | — | 0.00 | — | 0.01 | Oct 12, 2022 | Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js. | ||
| CVE-2022-37601 | — | 0.00 | — | 0.19 | Oct 12, 2022 | Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. | ||
| CVE-2022-37611 | — | 0.00 | — | 0.01 | Oct 12, 2022 | Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js. | ||
| CVE-2022-37616 | 0.00 | — | 0.01 | Oct 11, 2022 | A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third… | |||
| CVE-2022-37617 | — | 0.00 | — | 0.00 | Oct 11, 2022 | Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js. | ||
| CVE-2022-21169 | — | 0.00 | — | 0.01 | Sep 26, 2022 | The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | ||
| CVE-2020-36604 | — | 0.00 | — | 0.01 | Sep 23, 2022 | hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | ||
| CVE-2022-37265 | — | 0.00 | — | 0.00 | Sep 20, 2022 | Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | ||
| CVE-2022-37258 | — | 0.00 | — | 0.01 | Sep 16, 2022 | Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | ||
| CVE-2022-37264 | — | 0.00 | — | 0.01 | Sep 15, 2022 | Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | ||
| CVE-2022-37257 | — | 0.00 | — | 0.01 | Sep 15, 2022 | Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | ||
| CVE-2022-37266 | — | 0.00 | — | 0.01 | Sep 15, 2022 | Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | ||
| CVE-2022-25907 | — | 0.00 | — | 0.00 | Aug 9, 2022 | The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | ||
| CVE-2022-2564 | — | 0.00 | — | 0.03 | Jul 28, 2022 | Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | ||
| CVE-2021-23373 | — | 0.00 | — | 0.00 | Jul 25, 2022 | All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | ||
| CVE-2020-28471 | — | 0.00 | — | 0.01 | Jul 25, 2022 | This affects the package properties-reader before 2.2.0. |
- CVE-2022-37621Oct 28, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js.
- CVE-2022-39357Oct 26, 2022risk 0.00cvss —epss 0.01
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not…
- CVE-2022-29823Oct 25, 2022risk 0.00cvss —epss 0.04
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
- CVE-2022-37602Oct 14, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js.
- CVE-2022-37614Oct 12, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.
- CVE-2022-37601Oct 12, 2022risk 0.00cvss —epss 0.19
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
- CVE-2022-37611Oct 12, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js.
- CVE-2022-37616Oct 11, 2022risk 0.00cvss —epss 0.01
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third…
- CVE-2022-37617Oct 11, 2022risk 0.00cvss —epss 0.00
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js.
- CVE-2022-21169Sep 26, 2022risk 0.00cvss —epss 0.01
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
- CVE-2020-36604Sep 23, 2022risk 0.00cvss —epss 0.01
hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.
- CVE-2022-37265Sep 20, 2022risk 0.00cvss —epss 0.00
Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js.
- CVE-2022-37258Sep 16, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js.
- CVE-2022-37264Sep 15, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.
- CVE-2022-37257Sep 15, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js.
- CVE-2022-37266Sep 15, 2022risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js.
- CVE-2022-25907Aug 9, 2022risk 0.00cvss —epss 0.00
The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function.
- CVE-2022-2564Jul 28, 2022risk 0.00cvss —epss 0.03
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
- CVE-2021-23373Jul 25, 2022risk 0.00cvss —epss 0.00
All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.
- CVE-2020-28471Jul 25, 2022risk 0.00cvss —epss 0.01
This affects the package properties-reader before 2.2.0.