CVE-2022-21122

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor...

linux-cmdline is vulnerable to Prototype Pollution via the constructor

The package linux-cmdline is a parser for Linux kernel command line arguments. Versions before 1.0.1 are vulnerable to Prototype Pollution via the constructor...

GHSA-2C29-WC65-4CX9 linux-cmdline is vulnerable to Prototype Pollution via the constructor

The package linux-cmdline is a parser for Linux kernel command line arguments. Versions before 1.0.1 are vulnerable to Prototype Pollution via the constructor...

Prototype Pollution

convict is vulnerable to prototype pollution.A bypass of the fix for CVE-2022-22143 is possible which allows an attacker to inject properties into existing construct prototypes via the main.js and modify attributes such as proto, constructor, and prototype...

GHSA-H7RX-R733-7X7R Sandbox bypass in Jenkins Script Security Plugin sandbox bypass

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

Sandbox bypass in Jenkins Script Security Plugin sandbox bypass

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

GHSA-P3PG-64PV-V7JG Prototype Pollution in jsgui-lang-essentials

All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the Dexie.setByKeyPathobj, keyPath, value function which does not properly check the keys being set like proto or constructor. This can allow an attacker to add/modify properties of the Object.prototype leading to...

Automatic named constructor discovery in Valinor

Design issue - automatic constructor discovery The issue arises when upgrading from cuyz/valinor:0.3.0 to a newer system on an existing application, which broke due to the wrong constructor being picked. Still, a bigger security concern is problematic, and it is akin to...

Denial of services in proxy context by setting immutable privileged addresses in constructor in upgradeable contracts

Lines of code Vulnerability details Impact Privileged immutable addresses in LenderPool such as POOLEDCREDITLINE, SAVINGSACCOUNT and VERIFICATION are set in the constructor in the logic contract. These values are run at the time of deployment and affect only the local storage of the logic contrac...

Prototype Pollution

libnested is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the set function in the index.js and modify attributes such as proto, constructor, and prototype...

Code injection in accesslog

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

GHSA-8M2F-74R2-X3F2 Code injection in accesslog

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

CVE-2022-25760

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

CVE-2022-25760

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

Code injection

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

CVE-2022-25760

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

accesslog 代码注入漏洞

accesslog is a simple generic/combined accesslog middleware from the individual developers at Starbuck Starfish in the United States. A security vulnerability exists in accesslog, which stems from a lack of filtering and escaping in the constructor. The vulnerability can be exploited to execute...

Anyone can be _owner

Lines of code Vulnerability details Impact Anyone can be owner by calling initialize Proof of Concept initialize can called multiple times as the name 'initialize' should intended to be called one time when the contract deployed. Nothing prevent it to be called multiple times, and claim the...

CVE-2021-23597

This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. Note: This is a bypass of CVE-2020-8136 https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382...