Total
304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6195 | 1 Splashing Images Project | 1 Splashing Images | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php. | |||||
| CVE-2018-3721 | 2 Lodash, Netapp | 3 Lodash, Active Iq Unified Manager, System Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. | |||||
| CVE-2018-11135 | 1 Quest | 1 Kace System Management Appliance | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. | |||||
| CVE-2024-52441 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn allows Object Injection.This issue affects Quick Learn: from n/a through 1.0.1. | |||||
| CVE-2024-45277 | 1 Sap | 1 Hana-client | 2024-11-14 | N/A | 4.3 MEDIUM |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | |||||
| CVE-2024-48910 | 2024-11-01 | N/A | 9.1 CRITICAL | ||
| DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | |||||
| CVE-2024-39012 | 1 Ais | 1 Strategyen | 2024-10-22 | N/A | 9.8 CRITICAL |
| ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-21489 | 2024-10-04 | N/A | 8.2 HIGH | ||
| Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype. | |||||
| CVE-2024-45815 | 1 Backstage | 1 Backstage | 2024-09-23 | N/A | 6.5 MEDIUM |
| Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-45282 | 1 Nasa | 1 Openmct | 2024-09-19 | N/A | 7.5 HIGH |
| In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action. | |||||
| CVE-2022-3901 | 1 Visioglobe | 1 Visioweb | 2024-09-12 | N/A | 6.1 MEDIUM |
| Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system. | |||||
| CVE-2024-21529 | 2024-09-11 | N/A | 8.2 HIGH | ||
| Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. | |||||
| CVE-2024-21528 | 2024-09-10 | N/A | 5.9 MEDIUM | ||
| All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization. | |||||
| CVE-2024-38998 | 1 Requirejs | 1 Requirejs | 2024-09-09 | N/A | 9.8 CRITICAL |
| jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function config. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-45435 | 1 Chartist | 1 Chartist | 2024-09-03 | N/A | 9.8 CRITICAL |
| Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. | |||||
| CVE-2024-36580 | 2024-08-22 | N/A | 9.8 CRITICAL | ||
| A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code. | |||||
| CVE-2024-30564 | 2024-08-22 | N/A | 9.8 CRITICAL | ||
| An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method. | |||||
| CVE-2024-21509 | 2024-08-22 | N/A | 6.5 MEDIUM | ||
| Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js. | |||||
| CVE-2024-37287 | 1 Elastic | 1 Kibana | 2024-08-22 | N/A | 7.2 HIGH |
| A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. | |||||
| CVE-2024-39014 | 2024-08-21 | N/A | 9.8 CRITICAL | ||
| ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||