Total
375 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7638 | 1 Confinit Project | 1 Confinit | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2020-7637 | 1 Class-transformer Project | 1 Class-transformer | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | |||||
| CVE-2020-7618 | 1 Sds Project | 1 Sds | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'. | |||||
| CVE-2020-7617 | 1 Ini-parser Project | 1 Ini-parser | 2024-11-21 | 7.5 HIGH | 4.4 MEDIUM |
| ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload. | |||||
| CVE-2020-7616 | 1 Express-mock-middleware Project | 1 Express-mock-middleware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | |||||
| CVE-2020-7608 | 1 Yargs | 1 Yargs-parser | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. | |||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | |||||
| CVE-2020-7598 | 2 Opensuse, Substack | 2 Leap, Minimist | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | |||||
| CVE-2020-5258 | 3 Debian, Linuxfoundation, Oracle | 10 Debian Linux, Dojo, Communications Application Session Controller and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
| In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 | |||||
| CVE-2020-36632 | 1 Flat Project | 1 Flat | 2024-11-21 | N/A | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability. | |||||
| CVE-2020-36618 | 1 Furqansofware | 1 Node Whois | 2024-11-21 | N/A | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252. | |||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2024-11-21 | N/A | 8.1 HIGH |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package properties-reader before 2.2.0. | |||||
| CVE-2020-28462 | 1 Ion-parser Project | 1 Ion-parser | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28461 | 1 Js-ini Project | 1 Js-ini | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28460 | 1 Multi-ini Project | 1 Multi-ini | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448. | |||||
| CVE-2020-28458 | 1 Datatables | 1 Datatables.net | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | |||||
| CVE-2020-28448 | 1 Multi-ini Project | 1 Multi-ini | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array. | |||||
| CVE-2020-28441 | 1 Conf-cfg-ini Project | 1 Conf-cfg-ini | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28271 | 1 Deephas Project | 1 Deephas | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | |||||