22 matches found
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution in the process of copying enumerable properties from a user-supplied object to a generated message instance without filtering the proto property. An attacker can alter the prototype of individual message instances by...
Prototype Pollution
Overview org.webjars.npm:defu is a Recursively assign default properties. Lightweight and Fast! Affected versions of this package are vulnerable to Prototype Pollution via the defu function. An attacker can override default configuration values by supplying crafted input containing a proto key,...
Prototype Pollution
Overview Affected versions of this package are vulnerable to Prototype Pollution in the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject functions. An attacker can inject arbitrary properties into object prototypes by supplying crafted input containing special keys, potentially leading...
Prototype Pollution
Overview rollbar is an Effortlessly track and debug errors in your JavaScript applications with Rollbar. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. Affected versions of this package are vulnerable to Prototyp...
Prototype Pollution
Overview ts-fns is a Public Functions. Affected versions of this package are vulnerable to Prototype Pollution via the assign function. An attacker can inject arbitrary properties into the global object's prototype by supplying crafted keys, which may result in application crashes, unexpected cod...
Prototype Pollution
Overview expr-eval is a Mathematical expression evaluator Affected versions of this package are vulnerable to Prototype Pollution via the evaluation process, which accesses global values by searching for item.value in expr.functions. An attacker can access prototype, proto, constructor, and assig...
Prototype Poisoning
Overview mysql2 is a mostly API compatible with mysqljs and supports majority of features. Affected versions of this package are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in textparser.js and...
Cross-site Scripting (XSS)
Overview livewire/livewire is an A front-end framework for Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS when a page uses Url for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and...
Prototype Pollution
Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Prototype Pollution due to improper argument validation, which is exploitable via the aName variable. PoC js const XMLParser, XMLBuilder, XMLValidator...
Prototype Pollution
Overview algoliasearch-helper is a Helper for implementing advanced search features with algolia Affected versions of this package are vulnerable to Prototype Pollution in the merge function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the...
Sandbox Bypass
Overview Affected versions of this package are vulnerable to Sandbox Bypass. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. Note: This vulnerability derives...
Prototype Pollution
Overview keyget is an Is nested object manipulation kit. It can find, get, set, push or call nested properties. Note: The package is deprecated due to prototype pollution vulnerability. Affected versions of this package are vulnerable to Prototype Pollution via the methods set, push, and at which...
Sandbox Bypass
Overview realms-shim is a shim implementation of the Realm API Proposal. Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. PoC javascript import Realm from 'realms-shim' let realm = Realm.makeRootRealm; realm.evaluate function test try tes...
Prototype Pollution
Overview jsonpointer is a Simple JSON Addressing. Affected versions of this package are vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. PoC const jsonpointer = require'jsonpointer'...
Prototype Pollution
Overview total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Prototype Pollution. The set function can be...
Prototype Pollution
Overview json-ptr is a complete implementation of JSON Pointer RFC 6901 for nodejs and modern browsers. Affected versions of this package are vulnerable to Prototype Pollution. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/srcpointer.jsonpointer.htmlset when the...
Prototype Pollution
Overview safetydance is an Exception safety in node.js Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const safetydance = require'safetydance'; safetydance.set, 'proto.polluted', true; console.logpolluted; //true Details Prototype Pollution is a...
Prototype Pollution
Overview node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing...
Prototype Pollution
Overview grpc is a gRPC Library for Node Affected versions of this package are vulnerable to Prototype Pollution via loadPackageDefinition. POC: const loadPackageDefinition = require'grpc'; loadPackageDefinition'proto.polluted': true; console.logpolluted; Details Prototype Pollution is a...
Prototype Pollution
Overview deeps is a Highly performant utilities to manage deeply nested objects. get, set, merge, flatten, diff etc. Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const deeps = require'deeps'; deeps.set, 'proto.polluted', true;...