CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 17 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23558 | — | 0.00 | — | 0.01 | Jan 28, 2022 | The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664) | ||
| CVE-2021-23760 | — | 0.00 | — | 0.02 | Jan 28, 2022 | The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to… | ||
| CVE-2021-23518 | — | 0.00 | — | 0.01 | Jan 21, 2022 | The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to… | ||
| CVE-2021-23460 | — | 0.00 | — | 0.01 | Jan 21, 2022 | The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | ||
| CVE-2021-23543 | — | 0.00 | — | 0.01 | Jan 7, 2022 | All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | ||
| CVE-2021-23568 | — | 0.00 | — | 0.01 | Jan 7, 2022 | The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. | ||
| CVE-2021-23594 | — | 0.00 | — | 0.01 | Jan 7, 2022 | All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. | ||
| CVE-2021-43852 | — | 0.00 | — | 0.01 | Jan 4, 2022 | OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by… | ||
| CVE-2021-23574 | — | 0.00 | — | 0.01 | Dec 24, 2021 | All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655). | ||
| CVE-2021-23450 | — | 0.00 | — | 0.02 | Dec 17, 2021 | All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | ||
| CVE-2021-23663 | — | 0.00 | — | 0.00 | Dec 10, 2021 | All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function. | ||
| CVE-2021-23700 | — | 0.00 | — | 0.00 | Dec 10, 2021 | All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function. | ||
| CVE-2021-23561 | — | 0.00 | — | 0.00 | Dec 10, 2021 | All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function. | ||
| CVE-2021-3815 | — | 0.00 | — | 0.00 | Dec 8, 2021 | utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-23433 | 0.00 | — | 0.00 | Nov 19, 2021 | The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only… | |||
| CVE-2021-3918 | — | 0.00 | — | 0.01 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-23509 | — | 0.00 | — | 0.02 | Nov 3, 2021 | This affects the package json-ptr before 3.0.0. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays. | ||
| CVE-2021-23807 | — | 0.00 | — | 0.00 | Nov 3, 2021 | This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. | ||
| CVE-2021-23624 | — | 0.00 | — | 0.00 | Nov 3, 2021 | This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays. | ||
| CVE-2021-23820 | — | 0.00 | — | 0.01 | Nov 3, 2021 | This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays. |
- CVE-2021-23558Jan 28, 2022risk 0.00cvss —epss 0.01
The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664)
- CVE-2021-23760Jan 28, 2022risk 0.00cvss —epss 0.02
The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to…
- CVE-2021-23518Jan 21, 2022risk 0.00cvss —epss 0.01
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to…
- CVE-2021-23460Jan 21, 2022risk 0.00cvss —epss 0.01
The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.
- CVE-2021-23543Jan 7, 2022risk 0.00cvss —epss 0.01
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-23568Jan 7, 2022risk 0.00cvss —epss 0.01
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
- CVE-2021-23594Jan 7, 2022risk 0.00cvss —epss 0.01
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-43852Jan 4, 2022risk 0.00cvss —epss 0.01
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by…
- CVE-2021-23574Dec 24, 2021risk 0.00cvss —epss 0.01
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).
- CVE-2021-23450Dec 17, 2021risk 0.00cvss —epss 0.02
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
- CVE-2021-23663Dec 10, 2021risk 0.00cvss —epss 0.00
All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
- CVE-2021-23700Dec 10, 2021risk 0.00cvss —epss 0.00
All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.
- CVE-2021-23561Dec 10, 2021risk 0.00cvss —epss 0.00
All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.
- CVE-2021-3815Dec 8, 2021risk 0.00cvss —epss 0.00
utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-23433Nov 19, 2021risk 0.00cvss —epss 0.00
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only…
- CVE-2021-3918Nov 13, 2021risk 0.00cvss —epss 0.01
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-23509Nov 3, 2021risk 0.00cvss —epss 0.02
This affects the package json-ptr before 3.0.0. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.
- CVE-2021-23807Nov 3, 2021risk 0.00cvss —epss 0.00
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
- CVE-2021-23624Nov 3, 2021risk 0.00cvss —epss 0.00
This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays.
- CVE-2021-23820Nov 3, 2021risk 0.00cvss —epss 0.01
This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.