CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 23 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7720 | 0.00 | — | 0.02 | Sep 1, 2020 | The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | |||
| CVE-2020-7719 | — | 0.00 | — | 0.02 | Sep 1, 2020 | Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | ||
| CVE-2020-7717 | — | 0.00 | — | 0.00 | Sep 1, 2020 | All versions of package dot-notes are vulnerable to Prototype Pollution via the create function. | ||
| CVE-2020-7718 | 0.00 | — | 0.00 | Sep 1, 2020 | All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions. | |||
| CVE-2020-7714 | — | 0.00 | — | 0.00 | Sep 1, 2020 | All versions of package confucious are vulnerable to Prototype Pollution via the set function. | ||
| CVE-2020-7715 | — | 0.00 | — | 0.01 | Sep 1, 2020 | All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function. | ||
| CVE-2020-7716 | 0.00 | — | 0.00 | Sep 1, 2020 | All versions of package deeps are vulnerable to Prototype Pollution via the set function. | |||
| CVE-2020-7713 | — | 0.00 | — | 0.00 | Sep 1, 2020 | All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor. | ||
| CVE-2020-7708 | 0.00 | — | 0.01 | Aug 18, 2020 | The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions. | |||
| CVE-2020-7707 | — | 0.00 | — | 0.02 | Aug 18, 2020 | The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. | ||
| CVE-2020-7706 | — | 0.00 | — | 0.02 | Aug 18, 2020 | The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie. | ||
| CVE-2020-7704 | — | 0.00 | — | 0.02 | Aug 17, 2020 | The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor. | ||
| CVE-2020-7703 | — | 0.00 | — | 0.00 | Aug 17, 2020 | All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. | ||
| CVE-2020-7702 | — | 0.00 | — | 0.00 | Aug 17, 2020 | All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | ||
| CVE-2020-7701 | — | 0.00 | — | 0.01 | Aug 14, 2020 | madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | ||
| CVE-2020-7700 | — | 0.00 | — | 0.00 | Aug 14, 2020 | All versions of phpjs are vulnerable to Prototype Pollution via parse_str. | ||
| CVE-2020-7699 | 0.00 | — | 0.02 | Jul 30, 2020 | This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. | |||
| CVE-2020-15366 | — | 0.00 | — | 0.00 | Jul 15, 2020 | An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an… | ||
| CVE-2020-8203 | — | 0.00 | — | 0.03 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||
| CVE-2020-7679 | 0.00 | — | 0.01 | Jun 19, 2020 | In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. |
- CVE-2020-7720Sep 1, 2020risk 0.00cvss —epss 0.02
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
- CVE-2020-7719Sep 1, 2020risk 0.00cvss —epss 0.02
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
- CVE-2020-7717Sep 1, 2020risk 0.00cvss —epss 0.00
All versions of package dot-notes are vulnerable to Prototype Pollution via the create function.
- CVE-2020-7718Sep 1, 2020risk 0.00cvss —epss 0.00
All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
- CVE-2020-7714Sep 1, 2020risk 0.00cvss —epss 0.00
All versions of package confucious are vulnerable to Prototype Pollution via the set function.
- CVE-2020-7715Sep 1, 2020risk 0.00cvss —epss 0.01
All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.
- CVE-2020-7716Sep 1, 2020risk 0.00cvss —epss 0.00
All versions of package deeps are vulnerable to Prototype Pollution via the set function.
- CVE-2020-7713Sep 1, 2020risk 0.00cvss —epss 0.00
All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.
- CVE-2020-7708Aug 18, 2020risk 0.00cvss —epss 0.01
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
- CVE-2020-7707Aug 18, 2020risk 0.00cvss —epss 0.02
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
- CVE-2020-7706Aug 18, 2020risk 0.00cvss —epss 0.02
The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
- CVE-2020-7704Aug 17, 2020risk 0.00cvss —epss 0.02
The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor.
- CVE-2020-7703Aug 17, 2020risk 0.00cvss —epss 0.00
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
- CVE-2020-7702Aug 17, 2020risk 0.00cvss —epss 0.00
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
- CVE-2020-7701Aug 14, 2020risk 0.00cvss —epss 0.01
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
- CVE-2020-7700Aug 14, 2020risk 0.00cvss —epss 0.00
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
- CVE-2020-7699Jul 30, 2020risk 0.00cvss —epss 0.02
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
- CVE-2020-15366Jul 15, 2020risk 0.00cvss —epss 0.00
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an…
- CVE-2020-8203Jul 15, 2020risk 0.00cvss —epss 0.03
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- CVE-2020-7679Jun 19, 2020risk 0.00cvss —epss 0.01
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.