CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Hierarchy (View 1000)
CVEs mapped to this weakness (145)
page 8 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10806 | — | 0.00 | — | 0.01 | Mar 9, 2020 | vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype. | ||
| CVE-2019-10768 | 0.00 | — | 0.02 | Nov 19, 2019 | In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | |||
| CVE-2019-10745 | — | 0.00 | — | 0.01 | Aug 20, 2019 | assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a _proto_ payload. | ||
| CVE-2019-14379 | — | 0.00 | — | 0.08 | Jul 29, 2019 | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | ||
| CVE-2018-19296 | — | 0.00 | — | 0.02 | Nov 16, 2018 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. |
- CVE-2019-10806Mar 9, 2020risk 0.00cvss —epss 0.01
vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype.
- CVE-2019-10768Nov 19, 2019risk 0.00cvss —epss 0.02
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.
- CVE-2019-10745Aug 20, 2019risk 0.00cvss —epss 0.01
assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a _proto_ payload.
- CVE-2019-14379Jul 29, 2019risk 0.00cvss —epss 0.08
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
- CVE-2018-19296Nov 16, 2018risk 0.00cvss —epss 0.02
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.