CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (503)
page 26 of 26| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16490 | — | 0.00 | — | 0.01 | Feb 1, 2019 | A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | ||
| CVE-2018-19296 | — | 0.00 | — | 0.02 | Nov 16, 2018 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | ||
| CVE-2018-16469 | — | 0.00 | — | 0.02 | Oct 30, 2018 | The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack. |
- CVE-2018-16490Feb 1, 2019risk 0.00cvss —epss 0.01
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
- CVE-2018-19296Nov 16, 2018risk 0.00cvss —epss 0.02
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
- CVE-2018-16469Oct 30, 2018risk 0.00cvss —epss 0.02
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.