Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7616 | 1 Express-mock-middleware Project | 1 Express-mock-middleware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | |||||
| CVE-2020-7608 | 1 Yargs | 1 Yargs-parser | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. | |||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | |||||
| CVE-2020-7598 | 2 Opensuse, Substack | 2 Leap, Minimist | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | |||||
| CVE-2020-36632 | 1 Flat Project | 1 Flat | 2024-11-21 | N/A | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability. | |||||
| CVE-2020-36618 | 1 Furqansofware | 1 Node Whois | 2024-11-21 | N/A | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252. | |||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2024-11-21 | N/A | 8.1 HIGH |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package properties-reader before 2.2.0. | |||||
| CVE-2020-28462 | 1 Ion-parser Project | 1 Ion-parser | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28461 | 1 Js-ini Project | 1 Js-ini | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28460 | 1 Multi-ini Project | 1 Multi-ini | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448. | |||||
| CVE-2020-28458 | 1 Datatables | 1 Datatables.net | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | |||||
| CVE-2020-28448 | 1 Multi-ini Project | 1 Multi-ini | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array. | |||||
| CVE-2020-28441 | 1 Conf-cfg-ini Project | 1 Conf-cfg-ini | 2024-11-21 | N/A | 7.3 HIGH |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-28271 | 1 Deephas Project | 1 Deephas | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-28270 | 1 Mjpclab | 1 Object-hierarchy-access | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-28269 | 1 Exodus | 1 Field | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-28268 | 1 Controlled-merge Project | 1 Controlled-merge | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-24939 | 1 Stampit | 1 Supermixer | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation. | |||||
| CVE-2020-15366 | 1 Ajv.js | 1 Ajv | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | |||||