CWE:
 

Topic
Date
Author
Med.
Proxmox VE 3 / 4 XSS / Privilege Escalation / Code Execution
27.02.2016
Nicolas CHATELAIN


CVEMAP Search Results

CVE
Details
Description
2023-08-24
Waiting for details
CVE-2023-32079

Updating...
 

 
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.

 
2023-03-16
Waiting for details
CVE-2022-43441

Updating...
 

 
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.

 
2022-06-28
Waiting for details
CVE-2022-31106

Updating...
 

 
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening.

 
2022-04-01
Waiting for details
CVE-2022-24802

Updating...
 

 
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue.

 
2021-11-19
Medium
CVE-2021-23433

Vendor: Algolia
Software: Algoliasearc...
 

 
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

 
2021-11-13
Medium
CVE-2021-3918

Vendor: Json-schema project
Software: Json-schema
 

 
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 
2021-10-20
Medium
CVE-2021-23452

Vendor: Binaryops
Software: X-assign
 

 
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.

 
2021-10-18
Medium
CVE-2021-23449

Vendor: Vm2 project
Software: VM2
 

 
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

 
2021-09-06
Medium
CVE-2021-3766

Vendor: Objection project
Software: Objection
 

 
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 
2021-09-02
Medium
CVE-2021-3757

Vendor: Immer project
Software: Immer
 

 
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

 

 


Copyright 2024, cxsecurity.com

 

Back to Top