CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2024-56059 CRITICAL
Mighty Digital Partners <0.2.0 - Code Injection
CVSS 9.8
CVE-2024-21548 HIGH
bun >=0.0.12 <1.1.30 - Prototype Pollution via Object Input
CVSS 7.5
CVE-2024-54156 MEDIUM
JetBrains YouTrack <2024.3.52635 - Prototype Pollution
CVSS 4.2
CVE-2024-52810 MEDIUM
intlify/shared 9.7.0-9.14.1 and 10.0.0-10.0.4 - Prototype Pollution via deepCopy Function
CVE-2024-52441 CRITICAL
Rajesh Thanoch Quick Learn <1.0.1 - Code Injection
CVSS 9.8
CVE-2024-48910 CRITICAL
DOMPurify < 2.4.2 - Prototype Pollution
CVSS 9.1
CVE-2024-45277 MEDIUM
SAP HANA Node.js client <2.21.31 - Prototype Pollution
CVSS 4.3
CVE-2024-21489 HIGH
uplot < 1.6.31 - Prototype Pollution via uplot.assign Function
CVSS 8.2
CVE-2024-45815 MEDIUM
Backstage < 1.26.0 - Authenticated Denial of Service via Catalog API Query
CVSS 6.5
CVE-2024-45801 HIGH
DOMPurify < 2.5.4 - Cross-Site Scripting Bypass via Depth Check Evasion
CVSS 7.3
CVE-2024-21529 HIGH
dset < 3.1.4 - Prototype Pollution via __proto__ Property Injection
CVSS 8.2
CVE-2024-21528 MEDIUM
node-gettext - Prototype Pollution via addTranslations() Function
CVSS 5.9
CVE-2024-45435 CRITICAL
Chartist 1.0.0-1.3.0 - Prototype Pollution via Extend Function
CVSS 9.8
CVE-2024-37287 CRITICAL
Kibana 7.7.0-7.17.23 - Authenticated Remote Code Execution via Prototype Pollution in ML and Alerting Connector Features
CVSS 9.1
CVE-2024-38989 CRITICAL
bunt < 0.29.26 - Prototype Pollution via qs.js Component
CVSS 9.8
CVE-2024-38983 CRITICAL
alykoshin mini-deep-assign 0.0.8 - Prototype Pollution via _assign() Method
CVSS 9.8
CVE-2024-39012 CRITICAL
ais strategyen 0.4.0 - Prototype Pollution via mergeObjects Function
CVSS 9.8
CVE-2024-39011 CRITICAL
chargeover redoc v2.0.9-rc.69 - Prototype Pollution via mergeObjects Function
CVSS 9.8
CVE-2024-39010 CRITICAL
chasemoskal snapstate 0.0.9 - Prototype Pollution via attemptNestedProperty Function
CVSS 9.8
CVE-2024-38986 CRITICAL
75lb deep-merge < 1.1.2 - Prototype Pollution via Lodash Merge Methods
CVSS 9.8
CVE-2024-38984 CRITICAL
lukebond json-override 0.2.0 - Prototype Pollution via __proto__ Property
CVSS 9.8
CVE-2024-36572 CRITICAL
allpro form-manager 0.7.4 - Prototype Pollution via setDefaults, mergeBranch, and Object.setObjectValue
CVSS 9.8
CVE-2024-33519 HIGH
HPE Aruba Networking EdgeConnect - RCE
CVSS 7.2
CVE-2024-22443 HIGH
EdgeConnect SD-WAN Orchestrator - Command Injection
CVSS 7.2
CVE-2024-39853 MEDIUM
swiper - Prototype Pollution via Parse Function
CVSS 6.5
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits