Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36578 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js. | |||||
| CVE-2024-36577 | 2024-11-21 | N/A | 8.3 HIGH | ||
| apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty. | |||||
| CVE-2024-36574 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42) | |||||
| CVE-2024-36573 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component. | |||||
| CVE-2024-36572 | 1 Allpro | 1 Formmanager Data Handler | 2024-11-21 | N/A | 9.8 CRITICAL |
| Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. | |||||
| CVE-2024-34273 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method. | |||||
| CVE-2024-34148 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
| Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. | |||||
| CVE-2024-33519 | 2024-11-21 | N/A | 7.2 HIGH | ||
| A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-32866 | 2024-11-21 | N/A | 8.6 HIGH | ||
| Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue. | |||||
| CVE-2024-30564 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method. | |||||
| CVE-2024-29651 | 2024-11-21 | N/A | 8.1 HIGH | ||
| A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions. | |||||
| CVE-2024-29650 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components. | |||||
| CVE-2024-24293 | 2024-11-21 | N/A | 8.8 HIGH | ||
| A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js. | |||||
| CVE-2024-23339 | 1 Elijahharry | 1 Hoolock | 2024-11-21 | N/A | 6.3 MEDIUM |
| hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties. | |||||
| CVE-2024-22443 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 7.2 HIGH |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-21512 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables. | |||||
| CVE-2023-6293 | 1 Sequelizejs | 1 Sequelize-typescript | 2024-11-21 | N/A | 7.1 HIGH |
| Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. | |||||
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2024-11-21 | N/A | 9.8 CRITICAL |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2024-11-21 | N/A | 7.3 HIGH |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | |||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2024-11-21 | N/A | 8.1 HIGH |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | |||||