Total
377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26132 | 1 Dottie Project | 1 Dottie | 2025-01-06 | N/A | 7.5 HIGH |
| Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file. | |||||
| CVE-2024-45815 | 1 Linuxfoundation | 1 Backstage | 2025-01-03 | N/A | 6.5 MEDIUM |
| Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-21548 | 2024-12-18 | N/A | 7.5 HIGH | ||
| Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects. | |||||
| CVE-2024-56059 | 2024-12-18 | N/A | 9.8 CRITICAL | ||
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mighty Digital Partners allows Object Injection.This issue affects Partners: from n/a through 0.2.0. | |||||
| CVE-2024-52810 | 2024-11-29 | N/A | N/A | ||
| @intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) as the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. This issue has been addressed in versions 9.14.2, and 10.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-0163 | 2024-11-27 | N/A | 8.4 HIGH | ||
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4. | |||||
| CVE-2024-52441 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn allows Object Injection.This issue affects Quick Learn: from n/a through 1.0.1. | |||||
| CVE-2024-39853 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39018 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39016 | 2024-11-21 | N/A | 8.1 HIGH | ||
| che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39014 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39013 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| 2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39012 | 1 Ais | 1 Strategyen | 2024-11-21 | N/A | 9.8 CRITICAL |
| ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39011 | 1 Chargeover | 1 Redoc | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. | |||||
| CVE-2024-39010 | 1 Chasemoskal | 1 Snapstate | 2024-11-21 | N/A | 9.8 CRITICAL |
| chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39008 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38999 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38992 | 2024-11-21 | N/A | 8.8 HIGH | ||
| airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38991 | 2024-11-21 | N/A | 8.8 HIGH | ||
| akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38987 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||