Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23497 | 1 Set Project | 1 Set | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | |||||
| CVE-2021-23470 | 1 Putil-merge Project | 1 Putil-merge | 2024-11-21 | 7.5 HIGH | 8.2 HIGH |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 | |||||
| CVE-2021-23460 | 1 Camunda | 1 Min-dash | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | |||||
| CVE-2021-23452 | 1 Binaryops | 1 X-assign | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object. | |||||
| CVE-2021-23450 | 3 Debian, Linuxfoundation, Oracle | 5 Debian Linux, Dojo, Communications Policy Management and 2 more | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | |||||
| CVE-2021-23449 | 1 Vm2 Project | 1 Vm2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | |||||
| CVE-2021-23448 | 1 Config-handler Project | 1 Config-handler | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
| All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | |||||
| CVE-2021-23442 | 1 Cookiex-deep Project | 1 Cookiex-deep | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. | |||||
| CVE-2021-23433 | 1 Algolia | 1 Algoliasearch-helper | 2024-11-21 | 6.8 MEDIUM | 5.9 MEDIUM |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. | |||||
| CVE-2021-23421 | 1 Merge-change Project | 1 Merge-change | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function. | |||||
| CVE-2021-23419 | 1 Open-graph Project | 1 Open-graph | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload. | |||||
| CVE-2021-23417 | 1 Deepmergefn Project | 1 Deepmergefn | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. | |||||
| CVE-2021-23408 | 1 Graphhopper | 1 Graphhopper | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. | |||||
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | |||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2021-23397 | 1 Merge Project | 1 Merge | 2024-11-21 | N/A | 5.6 MEDIUM |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | |||||
| CVE-2021-23396 | 1 Lutils Project | 1 Lutils | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | |||||
| CVE-2021-23395 | 1 Nedb Project | 1 Nedb | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | |||||
| CVE-2021-23383 | 2 Handlebarsjs, Netapp | 2 Handlebars, E-series Performance Analyzer | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. | |||||
| CVE-2021-23373 | 1 Set-deep-prop Project | 1 Set-deep-prop | 2024-11-21 | N/A | 7.5 HIGH |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | |||||