Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-93Q5-3XPC-8VG3

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-21 21:08
VLAI
Summary
steal vulnerable to Prototype Pollution via requestedVersion variable
Details

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "steal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T21:08:13Z",
    "nvd_published_at": "2022-09-15T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.",
  "id": "GHSA-93q5-3xpc-8vg3",
  "modified": "2022-09-21T21:08:13Z",
  "published": "2022-09-16T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37257"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/issues/1526"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stealjs/steal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L362"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "steal vulnerable to Prototype Pollution via requestedVersion variable"
}

GHSA-93VW-8FM5-P2JF

Vulnerability from github – Published: 2022-11-10 13:02 – Updated: 2023-08-21 18:17
VLAI
Summary
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
Details

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T13:02:35Z",
    "nvd_published_at": "2022-11-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nNone.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf",
  "id": "GHSA-93vw-8fm5-p2jf",
  "modified": "2023-08-21T18:17:08Z",
  "published": "2022-11-10T13:02:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks"
}

GHSA-9534-H433-2RJF

Vulnerability from github – Published: 2021-05-07 16:28 – Updated: 2021-07-28 18:40
VLAI
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify
Details

utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utilitify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-03T18:04:07Z",
    "nvd_published_at": "2020-03-11T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.",
  "id": "GHSA-9534-h433-2rjf",
  "modified": "2021-07-28T18:40:29Z",
  "published": "2021-05-07T16:28:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1,"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify"
}

GHSA-957J-59C2-J692

Vulnerability from github – Published: 2021-10-12 16:26 – Updated: 2023-09-07 18:57
VLAI
Summary
Prototype pollution in getobject
Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "getobject"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-08T22:07:57Z",
    "nvd_published_at": "2020-12-29T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027getobject\u0027 version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-957j-59c2-j692",
  "modified": "2023-09-07T18:57:59Z",
  "published": "2021-10-12T16:26:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cowboy/node-getobject"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in getobject"
}

GHSA-95FF-46G6-6GW9

Vulnerability from github – Published: 2026-01-28 21:41 – Updated: 2026-01-28 21:41
VLAI
Summary
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
Details

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-28T21:41:26Z",
    "nvd_published_at": "2026-01-28T21:16:12Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart.\n\nWhile the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.\n\n### Details\n\nThe `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`):\n\n```typescript\nexport const deepMerge = (target: any, ...sources: any[]) =\u003e {\n  // ...\n  Object.keys(source).forEach((key) =\u003e {\n    if (isMergeableObject(source[key])) {\n      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};\n      deepMerge(target[key], source[key]);  // Recursively merges __proto__\n    } else {\n      target[key] = source[key];\n    }\n  });\n  // ...\n};\n```\n\nThe `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`:\n\n```typescript\nconfig = await integration.getConfig();\ndeepMerge(config, body);\n```\n\nWhen an attacker sends `{\"__proto__\": {\"super\": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process.\n\n## Impact\n\nPollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.",
  "id": "GHSA-95ff-46g6-6gw9",
  "modified": "2026-01-28T21:41:26Z",
  "published": "2026-01-28T21:41:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24766"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS"
}

GHSA-95JQ-XPH2-CX9H

Vulnerability from github – Published: 2025-07-26 00:30 – Updated: 2026-06-26 20:26
VLAI
Summary
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
Details

Prototype Pollution in internal assign() helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "linkifyjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.1"
            },
            {
              "fixed": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-8101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T19:09:33Z",
    "nvd_published_at": "2025-07-25T22:15:25Z",
    "severity": "HIGH"
  },
  "details": "Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.",
  "id": "GHSA-95jq-xph2-cx9h",
  "modified": "2026-06-26T20:26:11Z",
  "published": "2025-07-26T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nfrasser/linkifyjs/commit/931d3e28b68951b8f898ea4d6504696346b485b0"
    },
    {
      "type": "WEB",
      "url": "https://caverav.cl/posts/linkify-xss/linkify-xss"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/charly"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nfrasser/linkifyjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/linkifyjs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Linkify Allows Prototype Pollution \u0026 HTML Attribute Injection (XSS)"
}

GHSA-97JV-C342-5XHC

Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-29 23:37
VLAI
Summary
FurqanSoftware/node-whois vulnerable to Prototype Pollution
Details

A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "whois"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T18:24:03Z",
    "nvd_published_at": "2022-12-19T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file `index.coffee`. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.",
  "id": "GHSA-97jv-c342-5xhc",
  "modified": "2022-12-29T23:37:10Z",
  "published": "2022-12-19T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FurqanSoftware/node-whois/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FurqanSoftware/node-whois/commit/46ccc2aee8d063c7b6b4dee2c2834113b7286076"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FurqanSoftware/node-whois"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216252"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220403104013/https://www.npmjs.com/package/whois"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FurqanSoftware/node-whois vulnerable to Prototype Pollution"
}

GHSA-97VM-C39P-JR86

Vulnerability from github – Published: 2025-08-13 21:30 – Updated: 2026-06-09 11:56
VLAI
Summary
Spree has Remote Command Execution vulnerability in search functionality
Details

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.60.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-10019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:33:40Z",
    "nvd_published_at": "2025-08-13T21:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby\u2019s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.",
  "id": "GHSA-97vm-c39p-jr86",
  "modified": "2026-06-09T11:56:05Z",
  "published": "2025-08-13T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orgs/spree"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spree/spree"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/17941"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Spree has Remote Command Execution vulnerability in search functionality"
}

GHSA-9829-JJ5P-J6HF

Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-05 17:39
VLAI
Summary
Prototype Pollution in worksmith
Details

All versions up to and including 1.0.0 of the package worksmith are vulnerable to Prototype Pollution via the setValue function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "worksmith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T17:39:52Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions up to and including 1.0.0 of the package worksmith are vulnerable to Prototype Pollution via the setValue function.",
  "id": "GHSA-9829-jj5p-j6hf",
  "modified": "2021-05-05T17:39:52Z",
  "published": "2021-05-06T18:26:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7725"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-WORKSMITH-598798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in worksmith"
}

GHSA-992F-WF4W-X36V

Vulnerability from github – Published: 2020-09-01 21:16 – Updated: 2020-08-31 18:33
VLAI
Summary
Prototype Pollution in merge-objects
Details

All versions of merge-objects are vulnerable to Prototype Pollution.

Recommendation

No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "merge-objects"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:33:09Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "All versions of `merge-objects` are vulnerable to Prototype Pollution.\n\n\n## Recommendation\n\nNo fix is available for this vulnerability at this time. It is our recommendation to use an alternative package.",
  "id": "GHSA-992f-wf4w-x36v",
  "modified": "2020-08-31T18:33:09Z",
  "published": "2020-09-01T21:16:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/310706"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in merge-objects"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.