49 matches found
Prototype Pollution
Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the Jodit.modules.Helpers.set function. An attacker can inject unexpected properties into Object.prototype by supplying a crafted chain...
Prototype Pollution
Overview defu is a Recursively assign default properties. Lightweight and Fast! Affected versions of this package are vulnerable to Prototype Pollution via the defu function. An attacker can override default configuration values by supplying crafted input containing a proto key, which results in...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via the .unset and .omit functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour. Notes: 1 Version 4.18.0 was intend...
Prototype Pollution
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Prototype Pollution via the uneval method. An attacker can manipulate object prototypes by supplying...
Prototype Pollution
Overview @casl/ability is a CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access Affected versions of this package are vulnerable to Prototype Pollution via the rulesToFields which handles object properties. An attacker can inject...
Prototype Pollution
Overview messageformat is an Intl.MessageFormat / Unicode MessageFormat 2 parser, runtime and polyfill Affected versions of this package are vulnerable to Prototype Pollution via improper handling of message key paths containing special characters in the process when processing nested message key...
Prototype Pollution
Overview csvjson is a convert csv to json and json to csv Affected versions of this package are vulnerable to Prototype Pollution via the toCsv function. An attacker can cause a denial of service by injecting properties into Object.prototype through a crafted payload. Details Prototype Pollution ...
Prototype Pollution
Overview org.webjars.npm:rollbar is an Effortlessly track and debug errors in your JavaScript applications with Rollbar. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. Affected versions of this package are...
Prototype Pollution
Overview sassdoc-extras is a SassDoc's Toolbelt Affected versions of this package are vulnerable to Prototype Pollution via the byGroupAndType function. An attacker can inject arbitrary properties into Object.prototype by supplying a crafted payload, potentially causing application instability or...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via the attachToObject function. An attacker can inject arbitrary properties into Object.prototype by supplying a crafted payload, potentially causing application instability or denial of service. Details Prototype...
Prototype Pollution
Overview rollbar is an Effortlessly track and debug errors in your JavaScript applications with Rollbar. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. Affected versions of this package are vulnerable to Prototyp...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via the attachToObject function. An attacker can inject arbitrary properties into Object.prototype by supplying a crafted payload, potentially leading to application instability or service disruption. Details Prototy...
Prototype Pollution
Overview mpregular is a Affected versions of this package are vulnerable to Prototype Pollution via the mp.addEventHandler function. An attacker can cause application instability or crash by injecting malicious properties into Object.prototype through a specially crafted payload. Details Prototyp...
Prototype Pollution
Overview docarray is a The data structure for multimodal data Affected versions of this package are vulnerable to Prototype Pollution due to a lack of sanitization of unauthorized internal object in the getitem method. An attacker can manipulate object prototype attributes by sending a crafted...
Prototype Pollution
Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Prototype Pollution via the config function, due to improper sanitization of its parameter content. Note: This advisory is revoked as a duplicate of CVE-2024-38999. PoC js var requirejs=...
Prototype Pollution
Overview safe-eval is a Safer version of eval Affected versions of this package are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. PoC js var safeEval = require'safe-eval' let code = function Error.prepareStackTrace = , c = c.ma...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution via object-extend. PoC js const extend = require"object-extend"; const payload = JSON.parse'"proto":"isAdmin":"yes"'; extend, payload; const obj = "a":1; console.logobj.isAdmin // print yes on arbitrary objects since...
Prototype Pollution
Overview putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge. Affected versions of this package are vulnerable to Prototype Pollution. The merge function does not check the values passed into the argument. An attacker can supply a malicious val...
Denial of Service (DoS)
Overview bignum is an Arbitrary precision integral arithmetic for Node.js using OpenSSL. This library is based on node-bigint by substack, but instead of using libgmp, it uses the builtin bignum functionality provided by OpenSSL. The advantage is that OpenSSL is already part of Node.js, so this...
Prototype Pollution
Overview set-in is a set value of nested associative structure given array of keys Affected versions of this package are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. Note: This vulnerability derives from an incomplete fix of...