VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 26 of 26
  • CVE-2018-16490Feb 1, 2019
    risk 0.00cvss epss 0.01

    A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.

  • CVE-2018-19296Nov 16, 2018
    risk 0.00cvss epss 0.02

    PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

  • CVE-2018-16469Oct 30, 2018
    risk 0.00cvss epss 0.02

    The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.