VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 8 of 8
  • CVE-2019-10806Mar 9, 2020
    risk 0.00cvss epss 0.01

    vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype.

  • CVE-2019-10768Nov 19, 2019
    risk 0.00cvss epss 0.02

    In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.

  • CVE-2019-10745Aug 20, 2019
    risk 0.00cvss epss 0.01

    assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a _proto_ payload.

  • CVE-2019-14379Jul 29, 2019
    risk 0.00cvss epss 0.08

    SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

  • CVE-2018-19296Nov 16, 2018
    risk 0.00cvss epss 0.02

    PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.