CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2022-36059 HIGH
matrix-js-sdk <19.4.0 - Info Disclosure
CVSS 8.2
CVE-2022-3901 HIGH
Visioweb.js 1.10.6 - Prototype Pollution leading to Cross-Site Scripting
CVSS 7.2
CVE-2022-4742 MEDIUM
json-pointer < 0.6.2 - Prototype Pollution via set Function
CVSS 6.3
CVE-2022-46175 HIGH
json5 <1.0.2 and >=2.0.0 <2.2.2 - Prototype Pollution via __proto__ Key Parsing
CVSS 7.1
CVE-2022-2200 HIGH
Firefox < 102.0 and Firefox ESR < 91.11 - Prototype Pollution leading to Privileged Code Execution
CVSS 8.8
CVE-2022-1802 HIGH
Firefox < 100.0.2, Firefox ESR < 91.9.1, Thunderbird < 91.9.1 - Privileged JavaScript Execution via Prototype Pollution
CVSS 8.8
CVE-2022-1529 HIGH
Firefox < 100.0.2 and Firefox ESR < 91.9.1 - Prototype Pollution via Parent Process Message Handling
CVSS 8.8
CVE-2022-25904 HIGH
safe-eval < 0.4.1 - Prototype Pollution via safeEval Function
CVSS 7.5
CVE-2022-24999 HIGH
QS < 6.2.4 - Prototype Pollution
CVSS 7.5
CVE-2022-41878 HIGH
Parse Server <5.3.2, <4.10.19 - Auth Bypass
CVSS 7.2
CVE-2022-41879 HIGH
Parse Server <5.3.3,4.10.20 - Prototype Pollution
CVSS 7.2
CVE-2022-39396 CRITICAL
Parse Server < 4.10.18 and 5.X < 5.3.1 - Remote Code Execution via Prototype Pollution
CVSS 9.8
CVE-2022-42743 MEDIUM
deep-parse-json 1.0.2 - Prototype Pollution via __proto__ Key Injection
CVSS 5.3
CVE-2022-41714 MEDIUM
fastest-json-copy <1.0.1 - Code Injection
CVSS 5.3
CVE-2022-41713 MEDIUM
deep-object-diff <1.1.0 - Code Injection
CVSS 5.3
CVE-2022-37623 CRITICAL
browserify-shim < 3.8.16 - Prototype Pollution via resolveShims Function
CVSS 9.8
CVE-2022-37621 CRITICAL
browserify-shim < 3.8.16 - Prototype Pollution via resolveShims fullPath Variable
CVSS 9.8
CVE-2022-39357 HIGH
Winter 1.1.8-1.1.9, 1.2.0 - Prototype Pollution in Snowboard Framework
CVSS 8.1
CVE-2022-29823 CRITICAL
feathers-sequelize 6.0.0-6.3.3 - Remote Code Execution via Prototype Pollution in cleanQuery
CVSS 10.0
CVE-2022-37598 CRITICAL
UglifyJS 3.13.2 - Prototype Pollution via DEFNODE Function Name Variable
CVSS 9.8
CVE-2022-37602 CRITICAL
grunt-karma 4.0.1 - Prototype Pollution via Key Variable
CVSS 9.8
CVE-2022-37601 CRITICAL
webpack.js loader-utils <1.4.1 and >=2.0.0 <2.0.3 - Prototype Pollution via parseQuery Function
CVSS 9.8
CVE-2022-37614 CRITICAL
mockery - Prototype Pollution via Key Variable in enable Function
CVSS 9.8
CVE-2022-37611 CRITICAL
gh-pages < 5.0.0 - Prototype Pollution via Partial Variable in util.js
CVSS 9.8
CVE-2022-37617 CRITICAL
browserify-shim < 3.8.16 - Prototype Pollution via resolveShims Function
CVSS 9.8
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits