Total
369 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38991 | 1 Akbr | 1 Patch-into | 2024-11-21 | 8.8 High |
| akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38987 | 1 Ageoflearning | 1 Cli-lib | 2024-11-21 | 6.3 Medium |
| aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38986 | 1 75lb | 1 Deep-merge | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects. | ||||
| CVE-2024-38984 | 1 Lukebond | 1 Json-override | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property. | ||||
| CVE-2024-38983 | 1 Alykoshin | 1 Mini-deep-assign | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91) | ||||
| CVE-2024-36583 | 1 Byondreal | 1 Accessor | 2024-11-21 | 8.1 High |
| A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index. | ||||
| CVE-2024-36582 | 2024-11-21 | 9.8 Critical | ||
| alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js) | ||||
| CVE-2024-36580 | 2024-11-21 | 9.8 Critical | ||
| A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code. | ||||
| CVE-2024-36578 | 1 Akbr | 1 Update | 2024-11-21 | 5.9 Medium |
| akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js. | ||||
| CVE-2024-36577 | 1 Apphp | 1 Apphp Js-object-resolver | 2024-11-21 | 8.3 High |
| apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty. | ||||
| CVE-2024-36574 | 1 Amirziai | 1 Flatten Json | 2024-11-21 | 6.3 Medium |
| A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42) | ||||
| CVE-2024-36573 | 1 Almela | 1 Obx | 2024-11-21 | 9.8 Critical |
| almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component. | ||||
| CVE-2024-36572 | 1 Allpro | 2 Form-manager, Formmanager Data Handler | 2024-11-21 | 9.8 Critical |
| Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. | ||||
| CVE-2024-33519 | 2024-11-21 | 7.2 High | ||
| A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | ||||
| CVE-2024-32866 | 1 Edmundhung | 1 Conform | 2024-11-21 | 8.6 High |
| Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue. | ||||
| CVE-2024-30564 | 2024-11-21 | 9.8 Critical | ||
| An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method. | ||||
| CVE-2024-29650 | 2024-11-21 | 9.8 Critical | ||
| An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components. | ||||
| CVE-2024-27307 | 2024-11-21 | 9.8 Critical | ||
| JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually. | ||||
| CVE-2024-23339 | 1 Elijahharry | 1 Hoolock | 2024-11-21 | 6.3 Medium |
| hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties. | ||||
| CVE-2024-22443 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 7.2 High |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. | ||||