CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Hierarchy (View 1000)
CVEs mapped to this weakness (145)
page 5 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-24802 | — | 0.00 | — | 0.02 | Mar 31, 2022 | deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known… | ||
| CVE-2021-23433 | 0.00 | — | 0.02 | Nov 19, 2021 | The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only… | |||
| CVE-2021-3918 | — | 0.00 | — | 0.04 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-23452 | — | 0.00 | — | 0.01 | Oct 20, 2021 | This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object. | ||
| CVE-2021-23449 | 0.00 | — | 0.03 | Oct 18, 2021 | This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | |||
| CVE-2021-41097 | 0.00 | — | 0.05 | Sep 27, 2021 | aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The… | |||
| CVE-2021-39227 | 0.00 | — | 0.01 | Sep 17, 2021 | ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts,… | |||
| CVE-2021-23442 | — | 0.00 | — | 0.02 | Sep 17, 2021 | This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. | ||
| CVE-2021-3805 | 0.00 | — | 0.02 | Sep 17, 2021 | object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||
| CVE-2021-3666 | — | 0.00 | — | 0.01 | Sep 13, 2021 | body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-3645 | — | 0.00 | — | 0.01 | Sep 10, 2021 | merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-3766 | 0.00 | — | 0.01 | Sep 6, 2021 | objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||
| CVE-2021-3757 | 0.00 | — | 0.02 | Sep 2, 2021 | immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||
| CVE-2021-23421 | 0.00 | — | 0.01 | Aug 11, 2021 | All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function. | |||
| CVE-2021-23419 | — | 0.00 | — | 0.01 | Aug 8, 2021 | This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload. | ||
| CVE-2021-32811 | 0.00 | — | 0.02 | Aug 2, 2021 | Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and… | |||
| CVE-2021-32807 | 0.00 | — | 0.02 | Jul 30, 2021 | The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl`… | |||
| CVE-2021-23417 | 0.00 | — | 0.01 | Jul 28, 2021 | All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. | |||
| CVE-2021-25952 | — | 0.00 | — | 0.03 | Jul 7, 2021 | Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-23403 | 0.00 | — | 0.01 | Jul 2, 2021 | All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. |
- CVE-2022-24802Mar 31, 2022risk 0.00cvss —epss 0.02
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known…
- CVE-2021-23433Nov 19, 2021risk 0.00cvss —epss 0.02
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only…
- CVE-2021-3918Nov 13, 2021risk 0.00cvss —epss 0.04
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-23452Oct 20, 2021risk 0.00cvss —epss 0.01
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
- CVE-2021-23449Oct 18, 2021risk 0.00cvss —epss 0.03
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
- CVE-2021-41097Sep 27, 2021risk 0.00cvss —epss 0.05
aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The…
- CVE-2021-39227Sep 17, 2021risk 0.00cvss —epss 0.01
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts,…
- CVE-2021-23442Sep 17, 2021risk 0.00cvss —epss 0.02
This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.
- CVE-2021-3805Sep 17, 2021risk 0.00cvss —epss 0.02
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3666Sep 13, 2021risk 0.00cvss —epss 0.01
body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3645Sep 10, 2021risk 0.00cvss —epss 0.01
merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3766Sep 6, 2021risk 0.00cvss —epss 0.01
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3757Sep 2, 2021risk 0.00cvss —epss 0.02
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-23421Aug 11, 2021risk 0.00cvss —epss 0.01
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
- CVE-2021-23419Aug 8, 2021risk 0.00cvss —epss 0.01
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.
- CVE-2021-32811Aug 2, 2021risk 0.00cvss —epss 0.02
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and…
- CVE-2021-32807Jul 30, 2021risk 0.00cvss —epss 0.02
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl`…
- CVE-2021-23417Jul 28, 2021risk 0.00cvss —epss 0.01
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
- CVE-2021-25952Jul 7, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-23403Jul 2, 2021risk 0.00cvss —epss 0.01
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.