CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Hierarchy (View 1000)
CVEs mapped to this weakness (145)
page 6 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23402 | — | 0.00 | — | 0.01 | Jul 2, 2021 | All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||
| CVE-2021-32736 | — | 0.00 | — | 0.01 | Jun 30, 2021 | think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control… | ||
| CVE-2021-25949 | — | 0.00 | — | 0.03 | Jun 10, 2021 | Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25948 | — | 0.00 | — | 0.03 | Jun 10, 2021 | Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25945 | — | 0.00 | — | 0.03 | May 26, 2021 | Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-21368 | — | 0.00 | — | 0.02 | Mar 12, 2021 | msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__.… | ||
| CVE-2020-24914 | — | 0.00 | — | 0.06 | Mar 4, 2021 | A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request. | ||
| CVE-2021-21297 | 0.00 | — | 0.01 | Feb 26, 2021 | Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to… | |||
| CVE-2021-27582 | — | 0.00 | — | 0.02 | Feb 23, 2021 | org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth… | ||
| CVE-2020-28499 | — | 0.00 | — | 0.01 | Feb 18, 2021 | All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge . | ||
| CVE-2021-21304 | 0.00 | — | 0.02 | Feb 8, 2021 | Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for… | |||
| CVE-2020-7774 | — | 0.00 | — | 0.69 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||
| CVE-2020-28270 | 0.00 | — | 0.04 | Nov 12, 2020 | Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||
| CVE-2020-28269 | — | 0.00 | — | 0.04 | Nov 12, 2020 | Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-7768 | 0.00 | — | 0.04 | Nov 11, 2020 | The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. | |||
| CVE-2020-7746 | — | 0.00 | — | 0.05 | Oct 29, 2020 | This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys… | ||
| CVE-2020-7748 | — | 0.00 | — | 0.02 | Oct 20, 2020 | This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | ||
| CVE-2020-7743 | — | 0.00 | — | 0.04 | Oct 13, 2020 | The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. | ||
| CVE-2020-7720 | 0.00 | — | 0.03 | Sep 1, 2020 | The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | |||
| CVE-2020-7719 | — | 0.00 | — | 0.03 | Sep 1, 2020 | Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. |
- CVE-2021-23402Jul 2, 2021risk 0.00cvss —epss 0.01
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-32736Jun 30, 2021risk 0.00cvss —epss 0.01
think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control…
- CVE-2021-25949Jun 10, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25948Jun 10, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25945May 26, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-21368Mar 12, 2021risk 0.00cvss —epss 0.02
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__.…
- CVE-2020-24914Mar 4, 2021risk 0.00cvss —epss 0.06
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
- CVE-2021-21297Feb 26, 2021risk 0.00cvss —epss 0.01
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to…
- CVE-2021-27582Feb 23, 2021risk 0.00cvss —epss 0.02
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth…
- CVE-2020-28499Feb 18, 2021risk 0.00cvss —epss 0.01
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
- CVE-2021-21304Feb 8, 2021risk 0.00cvss —epss 0.02
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for…
- CVE-2020-7774Nov 17, 2020risk 0.00cvss —epss 0.69
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
- CVE-2020-28270Nov 12, 2020risk 0.00cvss —epss 0.04
Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28269Nov 12, 2020risk 0.00cvss —epss 0.04
Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-7768Nov 11, 2020risk 0.00cvss —epss 0.04
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
- CVE-2020-7746Oct 29, 2020risk 0.00cvss —epss 0.05
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys…
- CVE-2020-7748Oct 20, 2020risk 0.00cvss —epss 0.02
This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
- CVE-2020-7743Oct 13, 2020risk 0.00cvss —epss 0.04
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
- CVE-2020-7720Sep 1, 2020risk 0.00cvss —epss 0.03
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
- CVE-2020-7719Sep 1, 2020risk 0.00cvss —epss 0.03
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.