cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2023-0163,https://securityvulnerability.io/vulnerability/CVE-2023-0163,Improperly Controlled Modification of Object Prototype Attributes Vulnerability in Convict,"A prototype pollution vulnerability exists in Mozilla Convict that enables an attacker to manipulate object prototype attributes. This can occur through improper controls, allowing the injection of new attributes or the modification of existing ones with incompatible types. Such actions may lead to operational issues, including potential crashes of the server. Primarily used for managing server-side configuration settings, Convict is often administered by server owners, which minimizes the likelihood of intentional misuse. However, this vulnerability underscores a risk if an unsuspecting administrator is deceived into embedding malicious JavaScript code within configuration files.",Mozilla,Convict,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-26T11:36:26.574Z,0
CVE-2022-21190,https://securityvulnerability.io/vulnerability/CVE-2022-21190,Prototype Pollution,"This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype.",Mozilla,Convict,7.5,HIGH,0.013089999556541443,false,,false,false,false,,,false,false,,2022-05-13T00:00:00.000Z,0
CVE-2022-22143,https://securityvulnerability.io/vulnerability/CVE-2022-22143,Prototype Pollution,The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508),Mozilla,Convict,7.5,HIGH,0.0032999999821186066,false,,false,false,false,,,false,false,,2022-05-01T00:00:00.000Z,0