CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Hierarchy (View 1000)
CVEs mapped to this weakness (145)
page 7 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7708 | 0.00 | — | 0.03 | Aug 18, 2020 | The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions. | |||
| CVE-2020-7707 | — | 0.00 | — | 0.03 | Aug 18, 2020 | The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. | ||
| CVE-2020-7706 | — | 0.00 | — | 0.03 | Aug 18, 2020 | The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie. | ||
| CVE-2020-7703 | — | 0.00 | — | 0.02 | Aug 17, 2020 | All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. | ||
| CVE-2020-7702 | — | 0.00 | — | 0.02 | Aug 17, 2020 | All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | ||
| CVE-2020-7701 | — | 0.00 | — | 0.02 | Aug 14, 2020 | madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | ||
| CVE-2020-7699 | 0.00 | — | 0.05 | Jul 30, 2020 | This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. | |||
| CVE-2020-15366 | — | 0.00 | — | 0.02 | Jul 15, 2020 | An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an… | ||
| CVE-2020-7679 | 0.00 | — | 0.02 | Jun 19, 2020 | In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. | |||
| CVE-2020-11066 | 0.00 | — | 0.01 | May 13, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering… | |||
| CVE-2020-7644 | — | 0.00 | — | 0.01 | Apr 28, 2020 | fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | ||
| CVE-2020-7618 | 0.00 | — | 0.01 | Apr 7, 2020 | sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'. | |||
| CVE-2020-7616 | 0.00 | — | 0.01 | Apr 7, 2020 | express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack… | |||
| CVE-2020-7639 | 0.00 | — | 0.01 | Apr 6, 2020 | eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||
| CVE-2020-7638 | — | 0.00 | — | 0.01 | Apr 6, 2020 | confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | ||
| CVE-2020-7637 | — | 0.00 | — | 0.01 | Apr 6, 2020 | class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2020-7617 | 0.00 | — | 0.01 | Apr 2, 2020 | ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload. | |||
| CVE-2020-7608 | — | 0.00 | — | 0.01 | Mar 16, 2020 | yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. | ||
| CVE-2020-7600 | — | 0.00 | — | 0.01 | Mar 12, 2020 | querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | ||
| CVE-2019-10808 | — | 0.00 | — | 0.02 | Mar 11, 2020 | utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. |
- CVE-2020-7708Aug 18, 2020risk 0.00cvss —epss 0.03
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
- CVE-2020-7707Aug 18, 2020risk 0.00cvss —epss 0.03
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
- CVE-2020-7706Aug 18, 2020risk 0.00cvss —epss 0.03
The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
- CVE-2020-7703Aug 17, 2020risk 0.00cvss —epss 0.02
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
- CVE-2020-7702Aug 17, 2020risk 0.00cvss —epss 0.02
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
- CVE-2020-7701Aug 14, 2020risk 0.00cvss —epss 0.02
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
- CVE-2020-7699Jul 30, 2020risk 0.00cvss —epss 0.05
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
- CVE-2020-15366Jul 15, 2020risk 0.00cvss —epss 0.02
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an…
- CVE-2020-7679Jun 19, 2020risk 0.00cvss —epss 0.02
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.
- CVE-2020-11066May 13, 2020risk 0.00cvss —epss 0.01
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering…
- CVE-2020-7644Apr 28, 2020risk 0.00cvss —epss 0.01
fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
- CVE-2020-7618Apr 7, 2020risk 0.00cvss —epss 0.01
sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.
- CVE-2020-7616Apr 7, 2020risk 0.00cvss —epss 0.01
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack…
- CVE-2020-7639Apr 6, 2020risk 0.00cvss —epss 0.01
eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
- CVE-2020-7638Apr 6, 2020risk 0.00cvss —epss 0.01
confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
- CVE-2020-7637Apr 6, 2020risk 0.00cvss —epss 0.01
class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2020-7617Apr 2, 2020risk 0.00cvss —epss 0.01
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
- CVE-2020-7608Mar 16, 2020risk 0.00cvss —epss 0.01
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
- CVE-2020-7600Mar 12, 2020risk 0.00cvss —epss 0.01
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
- CVE-2019-10808Mar 11, 2020risk 0.00cvss —epss 0.02
utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.