Total
341 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-37609 | 1 Js-beautify Project | 1 Js-beautify | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js. | |||||
| CVE-2022-37602 | 1 Grunt-karma Project | 1 Grunt-karma | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | |||||
| CVE-2022-37601 | 2 Debian, Webpack.js | 2 Debian Linux, Loader-utils | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. | |||||
| CVE-2022-37598 | 1 Uglifyjs Project | 1 Uglifyjs | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. | |||||
| CVE-2022-37266 | 1 Stealjs | 1 Steal | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js. | |||||
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | |||||
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | |||||
| CVE-2022-37258 | 1 Stealjs | 1 Steal | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | |||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | |||||
| CVE-2022-36060 | 1 Matrix | 1 React Sdk | 2024-11-21 | N/A | 8.2 HIGH |
| matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-36059 | 1 Matrix | 1 Javascript Sdk | 2024-11-21 | N/A | 8.2 HIGH |
| matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible. | |||||
| CVE-2022-31106 | 1 Clever | 1 Underscore.deep | 2024-11-21 | 7.5 HIGH | 8.3 HIGH |
| Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening. | |||||
| CVE-2022-2625 | 3 Fedoraproject, Postgresql, Redhat | 3 Fedora, Postgresql, Enterprise Linux | 2024-11-21 | N/A | 8.0 HIGH |
| A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. | |||||
| CVE-2022-2564 | 1 Mongoosejs | 1 Mongoose | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | |||||
| CVE-2022-2200 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | N/A | 8.8 HIGH |
| If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. | |||||
| CVE-2022-29823 | 1 Feathersjs | 1 Feathers-sequelize | 2024-11-21 | N/A | 10.0 CRITICAL |
| Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | |||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | |||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2024-11-21 | N/A | 7.5 HIGH |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | |||||
| CVE-2022-25904 | 1 Safe-eval Project | 1 Safe-eval | 2024-11-21 | N/A | 7.5 HIGH |
| All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. | |||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2024-11-21 | 5.0 MEDIUM | 8.2 HIGH |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | |||||