CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 25 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16490 | — | 0.00 | — | 0.00 | Feb 1, 2019 | A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | ||
| CVE-2018-16489 | — | 0.00 | — | 0.00 | Feb 1, 2019 | A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | ||
| CVE-2018-19296 | — | 0.00 | — | 0.01 | Nov 16, 2018 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | ||
| CVE-2018-16469 | — | 0.00 | — | 0.00 | Oct 30, 2018 | The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack. | ||
| CVE-2018-3753 | — | 0.00 | — | 0.00 | Jul 3, 2018 | The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that… | ||
| CVE-2018-3721 | — | 0.00 | — | 0.00 | Jun 7, 2018 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of… | ||
| CVE-2018-3720 | — | 0.00 | — | 0.00 | Jun 7, 2018 | assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all… | ||
| CVE-2018-3728 | — | 0.00 | — | 0.02 | Mar 30, 2018 | hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or… |
- CVE-2018-16490Feb 1, 2019risk 0.00cvss —epss 0.00
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
- CVE-2018-16489Feb 1, 2019risk 0.00cvss —epss 0.00
A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
- CVE-2018-19296Nov 16, 2018risk 0.00cvss —epss 0.01
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
- CVE-2018-16469Oct 30, 2018risk 0.00cvss —epss 0.00
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
- CVE-2018-3753Jul 3, 2018risk 0.00cvss —epss 0.00
The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that…
- CVE-2018-3721Jun 7, 2018risk 0.00cvss —epss 0.00
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of…
- CVE-2018-3720Jun 7, 2018risk 0.00cvss —epss 0.00
assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…
- CVE-2018-3728Mar 30, 2018risk 0.00cvss —epss 0.02
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or…