VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 6 of 8
  • CVE-2021-23402Jul 2, 2021
    risk 0.00cvss epss 0.01

    All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.

  • CVE-2021-32736Jun 30, 2021
    risk 0.00cvss epss 0.01

    think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control…

  • CVE-2021-25949Jun 10, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2021-25948Jun 10, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2021-25945May 26, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2021-21368Mar 12, 2021
    risk 0.00cvss epss 0.02

    msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__.…

  • CVE-2020-24914Mar 4, 2021
    risk 0.00cvss epss 0.06

    A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.

  • CVE-2021-21297Feb 26, 2021
    risk 0.00cvss epss 0.01

    Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to…

  • CVE-2021-27582Feb 23, 2021
    risk 0.00cvss epss 0.02

    org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth…

  • CVE-2020-28499Feb 18, 2021
    risk 0.00cvss epss 0.01

    All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

  • CVE-2021-21304Feb 8, 2021
    risk 0.00cvss epss 0.02

    Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for…

  • CVE-2020-7774Nov 17, 2020
    risk 0.00cvss epss 0.69

    The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

  • CVE-2020-28270Nov 12, 2020
    risk 0.00cvss epss 0.04

    Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2020-28269Nov 12, 2020
    risk 0.00cvss epss 0.04

    Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2020-7768Nov 11, 2020
    risk 0.00cvss epss 0.04

    The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

  • CVE-2020-7746Oct 29, 2020
    risk 0.00cvss epss 0.05

    This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys…

  • CVE-2020-7748Oct 20, 2020
    risk 0.00cvss epss 0.02

    This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

  • CVE-2020-7743Oct 13, 2020
    risk 0.00cvss epss 0.04

    The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

  • CVE-2020-7720Sep 1, 2020
    risk 0.00cvss epss 0.03

    The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

  • CVE-2020-7719Sep 1, 2020
    risk 0.00cvss epss 0.03

    Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.