VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 5 of 8
  • CVE-2022-24802Mar 31, 2022
    risk 0.00cvss epss 0.02

    deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known…

  • CVE-2021-23433Nov 19, 2021
    risk 0.00cvss epss 0.02

    The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only…

  • CVE-2021-3918Nov 13, 2021
    risk 0.00cvss epss 0.04

    json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-23452Oct 20, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.

  • CVE-2021-23449Oct 18, 2021
    risk 0.00cvss epss 0.03

    This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

  • CVE-2021-41097Sep 27, 2021
    risk 0.00cvss epss 0.05

    aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The…

  • CVE-2021-39227Sep 17, 2021
    risk 0.00cvss epss 0.01

    ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts,…

  • CVE-2021-23442Sep 17, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.

  • CVE-2021-3805Sep 17, 2021
    risk 0.00cvss epss 0.02

    object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-3666Sep 13, 2021
    risk 0.00cvss epss 0.01

    body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-3645Sep 10, 2021
    risk 0.00cvss epss 0.01

    merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-3766Sep 6, 2021
    risk 0.00cvss epss 0.01

    objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-3757Sep 2, 2021
    risk 0.00cvss epss 0.02

    immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CVE-2021-23421Aug 11, 2021
    risk 0.00cvss epss 0.01

    All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.

  • CVE-2021-23419Aug 8, 2021
    risk 0.00cvss epss 0.01

    This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.

  • CVE-2021-32811Aug 2, 2021
    risk 0.00cvss epss 0.02

    Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and…

  • CVE-2021-32807Jul 30, 2021
    risk 0.00cvss epss 0.02

    The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl`…

  • CVE-2021-23417Jul 28, 2021
    risk 0.00cvss epss 0.01

    All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.

  • CVE-2021-25952Jul 7, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2021-23403Jul 2, 2021
    risk 0.00cvss epss 0.01

    All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.