Export limit exceeded: 366668 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366668 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23463 | 1 H2database | 1 H2 | 2024-11-21 | 8.1 High |
| The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. | ||||
| CVE-2021-23460 | 1 Camunda | 1 Min-dash | 2024-11-21 | 7.5 High |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. | ||||
| CVE-2021-23452 | 1 Binaryops | 1 X-assign | 2024-11-21 | 8.6 High |
| This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object. | ||||
| CVE-2021-23451 | 1 Otp-generator Project | 1 Otp-generator | 2024-11-21 | 6.5 Medium |
| The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack. | ||||
| CVE-2021-23450 | 3 Debian, Linuxfoundation, Oracle | 5 Debian Linux, Dojo, Communications Policy Management and 2 more | 2024-11-21 | 7.5 High |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | ||||
| CVE-2021-23449 | 1 Vm2 Project | 1 Vm2 | 2024-11-21 | 9.8 Critical |
| This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | ||||
| CVE-2021-23448 | 1 Config-handler Project | 1 Config-handler | 2024-11-21 | 6.5 Medium |
| All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | ||||
| CVE-2021-23447 | 1 Teddy Project | 1 Teddy | 2024-11-21 | 5.4 Medium |
| This affects the package teddy before 0.5.9. A type confusion vulnerability can be used to bypass input sanitization when the model content is an array (instead of a string). | ||||
| CVE-2021-23446 | 1 Handsontable | 1 Handsontable | 2024-11-21 | 7.5 High |
| The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function. | ||||
| CVE-2021-23445 | 2 Datatables, Redhat | 2 Datatables.net, Jboss Enterprise Application Platform | 2024-11-21 | 3.1 Low |
| This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped. | ||||
| CVE-2021-23444 | 1 Client | 1 Jointjs | 2024-11-21 | 5.6 Medium |
| This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function. | ||||
| CVE-2021-23443 | 1 Adonisjs | 1 Edge | 2024-11-21 | 5.4 Medium |
| This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used. | ||||
| CVE-2021-23442 | 1 Cookiex-deep Project | 1 Cookiex-deep | 2024-11-21 | 8.6 High |
| This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. | ||||
| CVE-2021-23440 | 3 Oracle, Redhat, Set-value Project | 4 Communications Cloud Native Core Policy, Acm, Openshift Data Foundation and 1 more | 2024-11-21 | 7.3 High |
| This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. | ||||
| CVE-2021-23439 | 1 Johndatserakis | 1 File-upload-with-preview | 2024-11-21 | 4.2 Medium |
| This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file). | ||||
| CVE-2021-23438 | 1 Mpath Project | 1 Mpath | 2024-11-21 | 5.6 Medium |
| This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input. | ||||
| CVE-2021-23437 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 7.5 High |
| The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | ||||
| CVE-2021-23436 | 2 Immer Project, Redhat | 2 Immer, Jboss Enterprise Bpms Platform | 2024-11-21 | 5.6 Medium |
| This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type. | ||||
| CVE-2021-23435 | 1 Thoughtbot | 1 Clearance | 2024-11-21 | 7.6 High |
| This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com). | ||||
| CVE-2021-23434 | 3 Debian, Object-path Project, Redhat | 3 Debian Linux, Object-path, Acm | 2024-11-21 | 5.6 Medium |
| This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different. | ||||