35 matches found
CVE-2026-27837 Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the...
CVE-2026-27837
CVE-2026-27837 : Dottie (JavaScript) has a prototype pollution bypass due to a guard that only validates the first segment of a dot-separated path. Versions 2.0.4–2.0.6 contain an incomplete fix for CVE-2023-26132; an attacker can bypass protection by placing proto at any non-first position. Both...
EUVD-2020-1425
Malware in sbrugna...
EUVD-2021-0594
Malware in sbrugna...
Freescout set function deserialization vulnerability
FreeScout is an open source helpdesk system built on the PHP Laravel framework, designed to provide users with functionality similar to Zendesk or Help Scout, but without sacrificing privacy or freedom. Freescout suffers from a deserialization vulnerability that stems from the fact that through t...
depath and cool-path vulnerable to Prototype Pollution via `set()` Method
janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set method at setIn lib/index.js:90. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...
Tenda AC15 fromSysToolRestoreSet Method Cross-Site Request Forgery Vulnerability
Tenda AC15 is a dual-band wireless router launched by Shenzhen Jixiang Tenda Technology Co. in October 2015, which supports 802.11ac protocol with a theoretical transmission rate of 1900Mbps 600Mbps in 2.4GHz band and 1300Mbps in 5GHz band. The Tenda AC15 suffers from a cross-site request forgery...
Tenda AC18 安全漏洞
Tenda AC18 is a dual-band wireless router launched by Shenzhen Jixiang Tenda Technology Co. in July 2016, mainly for villas and large home users. Tenda AC18 suffers from a buffer overflow vulnerability, which originates from a buffer overflow vulnerability in the ssid parameter of the...
Linux kernel Competition Condition Problem Vulnerability
The Linux kernel is the kernel used by the Linux Foundation's open source operating system Linux. A security vulnerability exists in the Linux kernel due to an I2cap connection or broadcast exception in the conn,advmin,maxintervalset method of net/bluetooth...
USN-5967-1: object-path vulnerabilities
It was discovered that the set method in object-path could be corrupted as a result of prototype pollution by sending a message to the parent process. An attacker could use this issue to cause object-path to crash. CVE-2020-15256, CVE-2021-23434, CVE-2021-3805...
USN-5967-1 node-object-path vulnerabilities
It was discovered that the set method in object-path could be corrupted as a result of prototype pollution by sending a message to the parent process. An attacker could use this issue to cause object-path to crash. CVE-2020-15256, CVE-2021-23434, CVE-2021-3805...
Roundup xml-rpc server improper check of property permissions
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the 1 list, 2 display, and 3 set methods...
GHSA-FM93-FHH2-CG2C Duplicate Advisory: Prototype Pollution in min-dash
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references. Original Description The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement...
Duplicate Advisory: Prototype Pollution in min-dash
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references. Original Description The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement...
min-dash 安全漏洞
min-dash is a minimal utility belt for use with bpmn.io related libraries. A security vulnerability exists in versions prior to min-dash 3.8.1, which stems from the lack of critical type enforcement and makes the software susceptible to prototype contamination via the set method...
Prototype Pollution
Overview min-dash is a Minimal utility tool belt to be used with bpmn.io related libraries. Affected versions of this package are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. PoC: js let parser = require"min-dash"; parser.set, "proto", "polluted",...
GHSA-2C25-XFPQ-8W9R Cross-site scripting in jfinal
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases...
CVE-2021-23389
The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set and U.get functions...
Cross site scripting
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases...
Session Cookies Detected
The scanner collected the session cookies returned by the application during an authenticated scan. The list includes the following information for each cookie: - Name: name of the cookie - Value: value of the cookie - Domain: hosts to which the cookie will be sent - Path: URL path which must exi...