RSS   Vulnerabilities for 'Lodash'   RSS

2021-09-30
 
CVE-2021-41720

CWE-77
 
 
** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.

 
2020-07-15
 
CVE-2020-8203

CWE-770
 
 
Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

 
2019-07-25
 
CVE-2019-10744

CWE-20
 
 
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

 
2019-07-17
 
CVE-2019-1010266

CWE-400
 
 
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

 
2019-02-01
 
CVE-2018-16487

CWE-254
 
 
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

 
2018-06-06
 
CVE-2018-3721

CWE-noinfo
 
 
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

 

Copyright 2024, cxsecurity.com

 

Back to Top