EUVD-2019-0323

Malware in sbrugna...

EUVD-2018-0261

Malware in sbrugna...

GHSA-46FH-8FC5-XCWX Prototype Pollution in lodash.defaultsdeep

Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Recommendation Update...

3gtel-frontend-platform (=1.0.0), @achieve-all/v-element (=1.0.0) +406 more potentially affected by CVE-2018-16486 via defaults-deep (>=0.2.3 <=0.2.4)

defaults-deep NPM version =0.2.3, =0.1.1, =1.0.0, =1.0.0, =2.0.0, =2.0.7, =0.1.0, =1.0.0, =1.0.8, =0.1.2, =1.0.3, =1.0.0, =6.0.0-rc1, =7.4.3 and more Source cves: CVE-2018-16486 Source advisory: OSV:GHSA-PJXW-22XF-6PWC...

Prototype Pollution in defaults-deep

All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation As no patch is currently available for this vulnerability it is our...

GHSA-PJXW-22XF-6PWC Prototype Pollution in defaults-deep

All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation As no patch is currently available for this vulnerability it is our...

CVE-2018-16486

A prototype pollution vulnerability was found in defaults-deep =0.2.4 that would allow a malicious user to inject properties onto Object.prototype...

Buffer overflow

A prototype pollution vulnerability was found in defaults-deep =0.2.4 that would allow a malicious user to inject properties onto Object.prototype...

CVE-2018-16486

A prototype pollution vulnerability was found in defaults-deep =0.2.4 that would allow a malicious user to inject properties onto Object.prototype...

CVE-2018-16486

Summary: CVE-2018-16486 corresponds to a prototype pollution vulnerability in the npm package defaults-deep, affecting versions ≤ 0.2.4. The vulnerability allows an attacker to inject or modify properties on Object.prototype, which can affect all objects in the runtime. Several sources (OSV, GHSA...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721. Details Prototype Pollution is a...

@anjuna/charts (>=1.0.0-preview.45 <=1.0.0-preview.47), @badgeup/badgeup-browser-client (>=0.3.0 <=3.0.0) +186 more potentially affected by CVE-2018-16487 +1 more via lodash.defaultsdeep (>=4.3.2 <=4.6.0)

lodash.defaultsdeep NPM version =4.3.2, =1.0.0-preview.45, =0.3.0, =0.1.0, =0.3.0, =6.0.2, =1.0.0-rc.1, =1.2.0, =1.0.0, =0.9.16, =0.0.1, =0.275.1-chore-update-deps.3894.0, =0.18.2-alpha.1, =3.0.0, =6.8.1, =7.1.11 and more Source cves: CVE-2018-16487, CVE-2018-3721 Source advisory:...

Prototype Pollution

Overview lodash.merge is a Lodash method .merge exported as a Node.js module. Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an...

Prototype Pollution

Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to...

@risingstack/trace (=2.0.1), democracyos-notifier (>=1.3.0 <=2.1.3) +1 more potentially affected by CVE-2018-3723 via defaults-deep (=0.2.3)

defaults-deep NPM version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on defaults-deep and may be impacted: - @risingstack/trace =2.0.1 - democracyos-notifier =1.3.0, =2.1.3 - oddvoter-notifier =1.1.1 Source cves: CVE-2018-3723 Source advisory:...

GHSA-CQP5-M4PQ-GFGP Prototype Pollution in defaults-deep

Versions of default-deep before 0.2.4 are vulnerable to prototype pollution Recommendation Update to version 0.2.4 or later...

Node.js third-party modules: Prototype pollution attack (defaults-deep / constructor.prototype)

I would like to report a prototype pollution vulnerability in defaults-deep. It allows an attacker to inject properties on Object.prototype. Module module name: defaults-deep version: 0.2.4 npm page: https://www.npmjs.com/package/defaults-deep Module Description Like extend but recursively copies...

CVE-2018-3723

defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data MAID vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects...

Code injection

defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data MAID vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects...

CVE-2018-3723

CVE-2018-3723 affects defaults-deep prior to 0.2.4, enabling prototype pollution by abusing proto to modify Object.prototype. This can lead to added or altered properties existing on all objects, with potential DoS and, in some cases, remote code execution as described in linked advisories. The i...