Total
341 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.0 MEDIUM | 5.9 MEDIUM |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2024-11-21 | 5.0 MEDIUM | 4.0 MEDIUM |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | |||||
| CVE-2022-25645 | 1 Dset Project | 1 Dset | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | |||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | |||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | |||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | |||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | |||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 7.5 HIGH | 6.3 MEDIUM |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | |||||
| CVE-2022-24999 | 3 Debian, Openjsf, Qs Project | 3 Debian Linux, Express, Qs | 2024-11-21 | N/A | 7.5 HIGH |
| qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | |||||
| CVE-2022-24802 | 1 Deepmerge-ts Project | 1 Deepmerge-ts | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue. | |||||
| CVE-2022-24760 | 3 Canonical, Microsoft, Parseplatform | 3 Ubuntu Linux, Windows, Parse-server | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. | |||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2022-23624 | 1 Frourio | 1 Frourio-express | 2024-11-21 | 6.5 MEDIUM | 8.1 HIGH |
| Frourio-express is a minimal full stack framework, for TypeScript. Frourio-express users who uses frourio-express version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`. | |||||
| CVE-2022-23623 | 1 Frourio | 1 Frourio | 2024-11-21 | 6.5 MEDIUM | 8.1 HIGH |
| Frourio is a full stack framework, for TypeScript. Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder are subject to a input validation vulnerability. Validators do not work properly for request bodies and queries in specific situations and some input is not validated at all. Users are advised to update frourio to v0.26.0 or later and to install `class-transformer` and `reflect-metadata`. | |||||
| CVE-2022-23395 | 1 Jquery.cookie Project | 1 Jquery.cookie | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | |||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | |||||
| CVE-2022-22143 | 1 Mozilla | 1 Convict | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | |||||
| CVE-2022-21824 | 4 Debian, Netapp, Nodejs and 1 more | 11 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 8 more | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. | |||||
| CVE-2022-21803 | 1 Nconf Project | 1 Nconf | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | |||||
| CVE-2022-21231 | 1 Deep-get-set Project | 1 Deep-get-set | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | |||||