CWE:
 

Topic
Date
Author
Med.
Proxmox VE 3 / 4 XSS / Privilege Escalation / Code Execution
27.02.2016
Nicolas CHATELAIN


CVEMAP Search Results

CVE
Details
Description
2022-06-28
Waiting for details
CVE-2022-31106

Updating...
 

 
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening.

 
2022-04-01
Waiting for details
CVE-2022-24802

Updating...
 

 
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue.

 
2021-11-19
Medium
CVE-2021-23433

Vendor: Algolia
Software: Algoliasearc...
 

 
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

 
2021-11-13
Medium
CVE-2021-3918

Vendor: Json-schema project
Software: Json-schema
 

 
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 
2021-10-20
Medium
CVE-2021-23452

Vendor: Binaryops
Software: X-assign
 

 
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.

 
2021-10-18
Medium
CVE-2021-23449

Vendor: Vm2 project
Software: VM2
 

 
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

 
2021-09-06
Medium
CVE-2021-3766

Vendor: Objection project
Software: Objection
 

 
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 
2021-09-02
Medium
CVE-2021-3757

Vendor: Immer project
Software: Immer
 

 
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 
2021-08-11
Medium
CVE-2021-23421

Vendor: Merge-change project
Software: Merge-change
 

 
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.

 
2021-08-08
Medium
CVE-2021-23419

Vendor: Open-graph project
Software: Open-graph
 

 
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top