EUVD-2021-2500

Malware in sbrugna...

CVE-2021-25953

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...

Prototype Pollution

putil-merge is vulnerable to prototype pollution. The vulnerability exists due to the validations are not handled properly in the merge method in merge.js file which allows an attacker to inject properties into existing construct prototypes and modify attributes...

@cscharpf/minio-client-versioned (>=1.0.0 <=1.0.8), @iliad.dev/strapi-adapter (>=0.0.43 <=0.2.2) +46 more potentially affected by CVE-2021-23470 via putil-merge (>=1.2.0 <=3.13.0)

putil-merge NPM version =1.2.0, =1.0.0, =0.0.43, =0.6.0, =0.12.0, =0.6.0, =0.6.0, =0.6.0, =1.0.0-beta.3, =0.6.0, =0.10.0, =0.6.0, =0.93.1, =4.0.1, =4.0.1, =5.0.3 and more Source cves: CVE-2021-23470 Source advisory: OSV:GHSA-4G77-CVGW-GRVW...

Prototype Pollution in putil-merge

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

GHSA-4G77-CVGW-GRVW Prototype Pollution in putil-merge

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

CVE-2021-23470

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

CVE-2021-23470

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

Hardcoded credentials

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

CVE-2021-23470

CVE-2021-23470 (NVD OSV entries) affects the package putil-merge up to version 3.8.0. The vulnerability arises in the merge() function, which does not validate incoming values, allowing an attacker to inject properties via the constructor property and pollute prototypes. The issue is described as...

CVE-2021-23470 Prototype Pollution

This affects the package putil-merge before 3.8.0. The merge function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in...

putil-merge 安全漏洞

putil-merge is an open source solution for merging two or more objects. It supports deep merging, cloning attributes, copying descriptors and filtering. A security vulnerability exists in putil-merge versions prior to 3.8.0, which stems from the merge function not checking the values of incoming...

@cscharpf/minio-client-versioned (>=1.0.0 <=1.0.8), @iliad.dev/strapi-adapter (>=0.0.43 <=0.2.2) +46 more potentially affected by CVE-2021-23470 via putil-merge (=3.13.0)

putil-merge NPM version =3.13.0 is affected by a known vulnerability. The following packages have a transitive dependency on putil-merge and may be impacted: - @cscharpf/minio-client-versioned =1.0.0, =0.0.43, =0.6.0, =0.12.0, =0.6.0, =0.6.0, =0.6.0, =1.0.0-beta.3, =0.6.0, =0.10.0, =0.6.0, =0.93....

Prototype Pollution

Overview putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge. Affected versions of this package are vulnerable to Prototype Pollution. The merge function does not check the values passed into the argument. An attacker can supply a malicious val...

@cscharpf/minio-client-versioned (>=1.0.0 <=1.0.8), @iliad.dev/strapi-adapter (>=0.0.43 <=0.2.2) +46 more potentially affected by CVE-2021-25953 via putil-merge (>=1.2.0 <=3.13.0)

putil-merge NPM version =1.2.0, =1.0.0, =0.0.43, =0.6.0, =0.12.0, =0.6.0, =0.6.0, =0.6.0, =1.0.0-beta.3, =0.6.0, =0.10.0, =0.6.0, =0.93.1, =4.0.1, =4.0.1, =5.0.3 and more Source cves: CVE-2021-25953 Source advisory: OSV:GHSA-9X7M-9HPG-XXMW...

Prototype Pollution in putil-merge

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...

GHSA-9X7M-9HPG-XXMW Prototype Pollution in putil-merge

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...

CVE-2021-25953

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...

CVE-2021-25953

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...

Remote code execution

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution...