Export limit exceeded: 364861 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364861 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23446 | 1 Handsontable | 1 Handsontable | 2024-11-21 | 7.5 High |
| The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function. | ||||
| CVE-2021-23445 | 2 Datatables, Redhat | 2 Datatables.net, Jboss Enterprise Application Platform | 2024-11-21 | 3.1 Low |
| This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped. | ||||
| CVE-2021-23444 | 1 Client | 1 Jointjs | 2024-11-21 | 5.6 Medium |
| This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function. | ||||
| CVE-2021-23443 | 1 Adonisjs | 1 Edge | 2024-11-21 | 5.4 Medium |
| This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used. | ||||
| CVE-2021-23442 | 1 Cookiex-deep Project | 1 Cookiex-deep | 2024-11-21 | 8.6 High |
| This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. | ||||
| CVE-2021-23440 | 3 Oracle, Redhat, Set-value Project | 4 Communications Cloud Native Core Policy, Acm, Openshift Data Foundation and 1 more | 2024-11-21 | 7.3 High |
| This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. | ||||
| CVE-2021-23439 | 1 Johndatserakis | 1 File-upload-with-preview | 2024-11-21 | 4.2 Medium |
| This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file). | ||||
| CVE-2021-23438 | 1 Mpath Project | 1 Mpath | 2024-11-21 | 5.6 Medium |
| This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input. | ||||
| CVE-2021-23437 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 7.5 High |
| The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | ||||
| CVE-2021-23436 | 2 Immer Project, Redhat | 2 Immer, Jboss Enterprise Bpms Platform | 2024-11-21 | 5.6 Medium |
| This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type. | ||||
| CVE-2021-23435 | 1 Thoughtbot | 1 Clearance | 2024-11-21 | 7.6 High |
| This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com). | ||||
| CVE-2021-23434 | 3 Debian, Object-path Project, Redhat | 3 Debian Linux, Object-path, Acm | 2024-11-21 | 5.6 Medium |
| This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different. | ||||
| CVE-2021-23433 | 1 Algolia | 1 Algoliasearch-helper | 2024-11-21 | 5.9 Medium |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. | ||||
| CVE-2021-23432 | 1 Mootools Project | 1 Mootools | 2024-11-21 | 5.4 Medium |
| This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge() | ||||
| CVE-2021-23431 | 1 Joplinapp | 1 Joplin | 2024-11-21 | 5.4 Medium |
| The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | ||||
| CVE-2021-23430 | 1 Startserver Project | 1 Startserver | 2024-11-21 | 7.5 High |
| All versions of package startserver are vulnerable to Directory Traversal due to missing sanitization. | ||||
| CVE-2021-23429 | 1 Transpile Project | 1 Transpile | 2024-11-21 | 6.5 Medium |
| All versions of package transpile are vulnerable to Denial of Service (DoS) due to a lack of input sanitization or whitelisting, coupled with improper exception handling in the .to() function. | ||||
| CVE-2021-23428 | 1 Elfinder.netcore Project | 1 Elfinder.netcore | 2024-11-21 | 8.6 High |
| This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal | ||||
| CVE-2021-23427 | 1 Elfinder.netcore Project | 1 Elfinder.netcore | 2024-11-21 | 8.6 High |
| This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation. | ||||
| CVE-2021-23426 | 1 Proto Project | 1 Proto | 2024-11-21 | 5.6 Medium |
| This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function. | ||||