VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 7 of 8
  • CVE-2020-7708Aug 18, 2020
    risk 0.00cvss epss 0.03

    The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.

  • CVE-2020-7707Aug 18, 2020
    risk 0.00cvss epss 0.03

    The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.

  • CVE-2020-7706Aug 18, 2020
    risk 0.00cvss epss 0.03

    The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.

  • CVE-2020-7703Aug 17, 2020
    risk 0.00cvss epss 0.02

    All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.

  • CVE-2020-7702Aug 17, 2020
    risk 0.00cvss epss 0.02

    All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.

  • CVE-2020-7701Aug 14, 2020
    risk 0.00cvss epss 0.02

    madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.

  • CVE-2020-7699Jul 30, 2020
    risk 0.00cvss epss 0.05

    This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

  • CVE-2020-15366Jul 15, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an…

  • CVE-2020-7679Jun 19, 2020
    risk 0.00cvss epss 0.02

    In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.

  • CVE-2020-11066May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering…

  • CVE-2020-7644Apr 28, 2020
    risk 0.00cvss epss 0.01

    fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

  • CVE-2020-7618Apr 7, 2020
    risk 0.00cvss epss 0.01

    sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.

  • CVE-2020-7616Apr 7, 2020
    risk 0.00cvss epss 0.01

    express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack…

  • CVE-2020-7639Apr 6, 2020
    risk 0.00cvss epss 0.01

    eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

  • CVE-2020-7638Apr 6, 2020
    risk 0.00cvss epss 0.01

    confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

  • CVE-2020-7637Apr 6, 2020
    risk 0.00cvss epss 0.01

    class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

  • CVE-2020-7617Apr 2, 2020
    risk 0.00cvss epss 0.01

    ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.

  • CVE-2020-7608Mar 16, 2020
    risk 0.00cvss epss 0.01

    yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.

  • CVE-2020-7600Mar 12, 2020
    risk 0.00cvss epss 0.01

    querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

  • CVE-2019-10808Mar 11, 2020
    risk 0.00cvss epss 0.02

    utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.