| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. |
| Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. |
| All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions. |
| All versions of package dot-notes are vulnerable to Prototype Pollution via the create function. |
| All versions of package deeps are vulnerable to Prototype Pollution via the set function. |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function. |
| All versions of package confucious are vulnerable to Prototype Pollution via the set function. |
| All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor. |
| The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions. |
| The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. |
| The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie. |
| This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud. Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers. Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads. |
| The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor. |
| All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. |
| All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. |
| madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. |
| All versions of phpjs are vulnerable to Prototype Pollution via parse_str. |
| This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. |
| This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). |
| Data is truncated wrong when its length is greater than 255 bytes. |
