Total
443 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39013 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39012 | 1 Ais | 1 Strategyen | 2024-11-21 | N/A | 9.8 CRITICAL |
|
ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39011 | 1 Chargeover | 1 Redoc | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
|
|||||
| CVE-2024-39010 | 1 Chasemoskal | 1 Snapstate | 2024-11-21 | N/A | 9.8 CRITICAL |
|
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39008 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38999 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38992 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38991 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38987 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38986 | 1 75lb | 1 Deep-merge | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
|
|||||
| CVE-2024-38984 | 1 Lukebond | 1 Json-override | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
|
|||||
| CVE-2024-38983 | 1 Alykoshin | 1 Mini-deep-assign | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)
|
|||||
| CVE-2024-36583 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.
|
|||||
| CVE-2024-36582 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
|
|||||
| CVE-2024-36580 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
|
|||||
| CVE-2024-36578 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
|
akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
|
|||||
| CVE-2024-36577 | 2024-11-21 | N/A | 8.3 HIGH | ||
|
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.
|
|||||
| CVE-2024-36574 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42)
|
|||||
| CVE-2024-36573 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.
|
|||||
| CVE-2024-36572 | 1 Allpro | 1 Formmanager Data Handler | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
|
|||||
| CVE-2024-34273 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
|
njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method.
|
|||||
| CVE-2024-33519 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
|
|||||
| CVE-2024-32866 | 2024-11-21 | N/A | 8.6 HIGH | ||
|
Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.
|
|||||
| CVE-2024-30564 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.
|
|||||
| CVE-2024-29651 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.
|
|||||
| CVE-2024-29650 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.
|
|||||
| CVE-2024-24293 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.
|
|||||
| CVE-2024-23339 | 1 Elijahharry | 1 Hoolock | 2024-11-21 | N/A | 6.3 MEDIUM |
|
hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.
|
|||||
| CVE-2024-22443 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 7.2 HIGH |
|
A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
|
|||||
| CVE-2024-21512 | 2024-11-21 | N/A | 8.2 HIGH | ||
|
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
|
|||||
| CVE-2024-21505 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
|
|||||
| CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2024-11-21 | N/A | 7.1 HIGH |
|
Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.
|
|||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2024-11-21 | N/A | 7.3 HIGH |
|
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.
|
|||||
| CVE-2023-45282 | 1 Nasa | 1 Openmct | 2024-11-21 | N/A | 7.5 HIGH |
|
In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action.
|
|||||
| CVE-2023-3965 | 1 Saleswizard | 1 Nsc | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-3962 | 1 Myshopkit | 1 Winters | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-3933 | 1 Wiloke | 1 Your Journey | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-3696 | 1 Mongoosejs | 1 Mongoose | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
|
|||||
| CVE-2023-39296 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | N/A | 7.5 HIGH |
|
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
|
|||||
| CVE-2023-38894 | 1 Tree Kit Project | 1 Tree Kit | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.
|
|||||