Total
425 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-37264 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js. | ||||
| CVE-2022-37258 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. | ||||
| CVE-2022-37257 | 1 Stealjs | 1 Steal | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. | ||||
| CVE-2022-2625 | 3 Fedoraproject, Postgresql, Redhat | 8 Fedora, Postgresql, Enterprise Linux and 5 more | 2024-11-21 | 8.0 High |
| A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. | ||||
| CVE-2022-2564 | 1 Mongoosejs | 1 Mongoose | 2024-11-21 | 9.8 Critical |
| Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | ||||
| CVE-2022-26260 | 1 Simple-plist Project | 1 Simple-plist | 2024-11-21 | 9.8 Critical |
| Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). | ||||
| CVE-2022-25907 | 1 Typescript Deep Merge Project | 1 Typescript Deep Merge | 2024-11-21 | 7.5 High |
| The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function. | ||||
| CVE-2022-25878 | 1 Protobufjs Project | 1 Protobufjs | 2024-11-21 | 8.2 High |
| The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files | ||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.9 Medium |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | ||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2024-11-21 | 4 Medium |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | ||||
| CVE-2022-25645 | 2 Dset Project, Redhat | 2 Dset, Acm | 2024-11-21 | 6.5 Medium |
| All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. | ||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2024-11-21 | 8.6 High |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | ||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2024-11-21 | 7.5 High |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | ||||
| CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2024-11-21 | 7.5 High |
| All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | ||||
| CVE-2022-25301 | 1 Jsgui-lang-essentials Project | 1 Jsgui-lang-essentials | 2024-11-21 | 7.7 High |
| All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | ||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2024-11-21 | 6.3 Medium |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | ||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2024-11-21 | 7.5 High |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | ||||
| CVE-2022-23631 | 1 Blitzjs | 2 Blitz, Superjson | 2024-11-21 | 9.1 Critical |
| superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-23395 | 1 Jquery.cookie Project | 1 Jquery.cookie | 2024-11-21 | 6.1 Medium |
| jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | ||||
| CVE-2022-22912 | 1 Plist Project | 1 Plist | 2024-11-21 | 9.8 Critical |
| Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution. | ||||