CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2022-37609 CRITICAL
js-beautify 1.13.7 - Prototype Pollution via Name Variable in options.js
CVSS 9.8
CVE-2022-37616 CRITICAL
xmldom < 0.8.3 - Prototype Pollution via p Variable in copy Function
CVSS 9.8
CVE-2022-21169 HIGH
express-xss-sanitizer < 1.1.3 - Prototype Pollution via allowedTags Attribute
CVSS 7.3
CVE-2022-37265 CRITICAL
stealjs steal 2.2.4 - Prototype Pollution via Alias Variable in babel.js
CVSS 9.8
CVE-2022-37258 CRITICAL
stealjs steal - Prototype Pollution via packageName Variable in npm-convert.js
CVSS 9.8
CVE-2022-37264 CRITICAL
stealjs steal 2.2.4 - Prototype Pollution via optionName Variable
CVSS 9.8
CVE-2022-37266 CRITICAL
stealjs steal - Prototype Pollution via babel.js extend Function
CVSS 9.8
CVE-2022-37257 CRITICAL
stealjs steal - Prototype Pollution via npm-convert.js requestedVersion Variable
CVSS 9.8
CVE-2022-2625 HIGH
PostgreSQL - Arbitrary Code Execution via Extension Schema Object Hijacking
CVSS 8.0
CVE-2022-25907 HIGH
typescript_deep_merge < 2.0.2 - Prototype Pollution via Merge Function
CVSS 7.5
CVE-2022-2564 CRITICAL
automattic/mongoose <6.4.6 - Info Disclosure
CVSS 9.8
CVE-2022-31106 HIGH
Underscore.deep <0.5.3 - Prototype Pollution
CVSS 8.3
CVE-2022-21231 HIGH
deep-get-set - Prototype Pollution via 'deep' Function
CVSS 7.5
CVE-2022-25871 MEDIUM
querymen - Prototype Pollution via Unsanitized Handler Function Parameters
CVSS 5.9
CVE-2022-21213 HIGH
mout < 1.2.4 - Prototype Pollution via deepFillIn and deepMixIn Functions
CVSS 7.5
CVE-2022-25878 HIGH
protobufjs < 6.11.3 - Prototype Pollution via util.setProperty or ReflectionObject.setParsedOption
CVSS 8.2
CVE-2022-25862 MEDIUM
sds - Prototype Pollution via set Function
CVSS 4.0
CVE-2022-21190 HIGH
convict < 6.2.3 - Prototype Pollution via Bypass of CVE-2022-22143 Fix
CVSS 7.5
CVE-2022-25324 HIGH
bignum - Denial of Service via .powm Function Type-Check Exception
CVSS 7.5
CVE-2022-25301 HIGH
jsgui-lang-essentials - Prototype Pollution via Object Attribute Manipulation
CVSS 7.7
CVE-2022-25645 MEDIUM
dset < 3.1.2 - Prototype Pollution via Malicious Object Bypass
CVSS 6.5
CVE-2022-22143 HIGH
convict <6.2.2 - Prototype Pollution
CVSS 7.5
CVE-2022-21189 HIGH
dexie < 3.2.2 and 4.0.0-alpha.1-4.0.0-alpha.3 - Prototype Pollution via setByKeyPath Function
CVSS 7.3
CVE-2022-24279 HIGH
madlib-object-utils <0.1.8 - Prototype Pollution
CVSS 7.5
CVE-2022-21803 HIGH
nconf < 0.11.4 - Prototype Pollution via .set() Function
CVSS 7.3
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits