CVE-2024-32866

HIGH Year: 2024
CVSS v3 Score
8.6
High
Weakness Type
CWE-1321
View all →

Vulnerability Description

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.

Related Vulnerabilities

CVE-2024-12556

HIGH
CVSS:8.7(High)

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

CWE-13212024

CVE-2023-0163

HIGH
CVSS:8.4(High)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other componen...

CWE-13212023

CVE-2018-11135

HIGH
CVSS:8.8(High)

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

CWE-13212018

CVE-2019-10808

HIGH
CVSS:8.8(High)

utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.

CWE-13212019

CVE-2019-17316

HIGH
CVSS:8.8(High)

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.

CWE-13212019

CVE-2021-20083

HIGH
CVSS:8.8(High)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.

CWE-13212021