Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-1321

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321

CVE-2020-7608 MEDIUM

yargs-parser < 5.0.1 and 6.0.0-13.1.2 - Prototype Pollution via __proto__ Payload

CVE-2020-7600 MEDIUM

querymen < 2.1.4 - Prototype Pollution via Unsanitized Handler Parameters

CVE-2020-7598 MEDIUM

minimist < 1.2.2 - Prototype Pollution via Constructor or __proto__ Payload

CVE-2020-5258 HIGH

dojo < 1.11.10 - Prototype Pollution via deepCopy Method

CVE-2020-8116 HIGH

dot-prop <4.2.1, <5.1.1 - Prototype Pollution

CVE-2019-0230 CRITICAL

Apache Struts 2.0.0-2.5.20 - Remote Code Execution via Forced Double OGNL Evaluation

CVE-2019-10808 HIGH

utilitify < 1.0.3 - Prototype Pollution via Merge Method

CVE-2019-10806 MEDIUM

vega < 1.13.1 - Prototype Pollution via vega.mergeConfig

CVE-2019-19919 CRITICAL

handlebars.js - Prototype Pollution leading to Remote Code Execution

CVE-2019-10768 HIGH

AngularJS < 1.7.9 - Prototype Pollution via merge() Function

CVE-2019-17317 HIGH

SugarCRM 7.9.0.0-7.9.5.0 - Authenticated PHP Object Injection via UpgradeWizard Module

CVE-2019-17316 HIGH

SugarCRM 7.9.0.0-7.9.5.0 - Authenticated PHP Object Injection via Import Module

CVE-2019-17315 HIGH

SugarCRM 7.9.0.0-7.9.5.0 - Authenticated PHP Object Injection in Administration Module

CVE-2019-16328 HIGH

rpyc 4.1.0-4.1.1 - Remote Code Execution via Prototype Pollution

CVE-2019-10745 HIGH

assign-deep < 0.4.8 - Prototype Pollution via Constructor or __proto__ Payload

CVE-2019-14379 CRITICAL

jackson-databind < 2.9.9.2 - Remote Code Execution via Default Typing with Ehcache

CVE-2019-10744 CRITICAL

lodash < 4.17.12 - Prototype Pollution via defaultsDeep Function

CVE-2019-11358 MEDIUM

jQuery < 3.4.0 - Prototype Pollution via jQuery.extend

CVE-2019-9061 HIGH

CMS Made Simple < 2.2.8 - Authenticated Object Injection via Module Installation

CVE-2019-9058 HIGH

CMS Made Simple < 2.2.8 - Authenticated Object Injection via sel_groups Parameter

CVE-2018-19274 HIGH

phpBB < 3.2.4 - Authenticated Remote Code Execution via Phar Deserialization

CVE-2018-19296 HIGH

PHPMailer <5.2.27, <6.0.6 - Code Injection

CVE-2018-3721 MEDIUM

lodash < 4.17.5 - Prototype Pollution via __proto__ in defaultsDeep, merge, and mergeWith

CVE-2018-11135 HIGH

Quest KACE System Management Appliance 8.0.318 - Authenticated PHP Object Injection via /adminui/error_details.php

CVE-2018-6195 HIGH

Splashing Images < 2.1.1 - Authenticated PHP Object Injection via Session Parameter

Previous Page 20 of 21 Next

Details

Vulnerabilities 501

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy