CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 16 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-24802 | — | 0.00 | — | 0.01 | Mar 31, 2022 | deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known… | ||
| CVE-2022-26260 | — | 0.00 | — | 0.00 | Mar 22, 2022 | Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | ||
| CVE-2021-44906 | — | 0.00 | — | 0.01 | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||
| CVE-2021-44908 | — | 0.00 | — | 0.00 | Mar 17, 2022 | SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | ||
| CVE-2022-25354 | — | 0.00 | — | 0.01 | Mar 17, 2022 | The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-104… | ||
| CVE-2022-25352 | — | 0.00 | — | 0.01 | Mar 17, 2022 | The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | ||
| CVE-2021-23771 | — | 0.00 | — | 0.00 | Mar 17, 2022 | This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype.… | ||
| CVE-2022-25296 | — | 0.00 | — | 0.00 | Mar 17, 2022 | The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to… | ||
| CVE-2022-24760 | 0.00 | — | 0.76 | Mar 11, 2022 | Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the… | |||
| CVE-2022-23395 | — | 0.00 | — | 0.00 | Mar 2, 2022 | jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | ||
| CVE-2021-23702 | — | 0.00 | — | 0.00 | Feb 18, 2022 | The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend. | ||
| CVE-2022-22912 | — | 0.00 | — | 0.02 | Feb 17, 2022 | Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | ||
| CVE-2021-23682 | — | 0.00 | — | 0.05 | Feb 16, 2022 | This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a… | ||
| CVE-2021-23555 | 0.00 | — | 0.01 | Feb 11, 2022 | The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine. | |||
| CVE-2022-23631 | 0.00 | — | 0.00 | Feb 9, 2022 | superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the… | |||
| CVE-2022-23623 | 0.00 | — | 0.00 | Feb 7, 2022 | Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and… | |||
| CVE-2022-23624 | — | 0.00 | — | 0.00 | Feb 7, 2022 | Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work… | ||
| CVE-2021-23507 | — | 0.00 | — | 0.01 | Feb 4, 2022 | The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607… | ||
| CVE-2021-23470 | — | 0.00 | — | 0.01 | Feb 4, 2022 | This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete… | ||
| CVE-2021-23497 | — | 0.00 | — | 0.03 | Feb 4, 2022 | This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 |
- CVE-2022-24802Mar 31, 2022risk 0.00cvss —epss 0.01
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known…
- CVE-2022-26260Mar 22, 2022risk 0.00cvss —epss 0.00
Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse().
- CVE-2021-44906Mar 17, 2022risk 0.00cvss —epss 0.01
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- CVE-2021-44908Mar 17, 2022risk 0.00cvss —epss 0.00
SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().
- CVE-2022-25354Mar 17, 2022risk 0.00cvss —epss 0.01
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-104…
- CVE-2022-25352Mar 17, 2022risk 0.00cvss —epss 0.01
The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)
- CVE-2021-23771Mar 17, 2022risk 0.00cvss —epss 0.00
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype.…
- CVE-2022-25296Mar 17, 2022risk 0.00cvss —epss 0.00
The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to…
- CVE-2022-24760Mar 11, 2022risk 0.00cvss —epss 0.76
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the…
- CVE-2022-23395Mar 2, 2022risk 0.00cvss —epss 0.00
jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).
- CVE-2021-23702Feb 18, 2022risk 0.00cvss —epss 0.00
The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.
- CVE-2022-22912Feb 17, 2022risk 0.00cvss —epss 0.02
Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
- CVE-2021-23682Feb 16, 2022risk 0.00cvss —epss 0.05
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a…
- CVE-2021-23555Feb 11, 2022risk 0.00cvss —epss 0.01
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
- CVE-2022-23631Feb 9, 2022risk 0.00cvss —epss 0.00
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the…
- CVE-2022-23623Feb 7, 2022risk 0.00cvss —epss 0.00
Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and…
- CVE-2022-23624Feb 7, 2022risk 0.00cvss —epss 0.00
Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work…
- CVE-2021-23507Feb 4, 2022risk 0.00cvss —epss 0.01
The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607…
- CVE-2021-23470Feb 4, 2022risk 0.00cvss —epss 0.01
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete…
- CVE-2021-23497Feb 4, 2022risk 0.00cvss —epss 0.03
This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821