The vulnerability of the GJSON library in Aurora Application Software lies in the insufficient validation of input data, which allows a perpetrator to trigger a service failure.

The vulnerability of the GJSON library used in Avora software applications is related to insufficient validation of input data. Exploiting this vulnerability can allow a malicious actor to trigger a service failure by sending a specially crafted request containing JSON data...

PT-2021-4289 · Fastapi +1 · Fastapi +1

Name of the Vulnerable Software and Affected Versions: FastAPI versions prior to 0.65.2 Description: The issue is related to a Cross-Site Request Forgery CSRF attack in FastAPI, a web framework for building APIs with Python. In versions lower than 0.65.2, FastAPI would try to read the request...

XStream Library Arbitrary File Deletion (CVE-2020-26259)

An arbitrary file deletion vulnerability exists in the XStream library. The vulnerability is due to improper validation of user input during unmarshalling of XML and JSON data...

CVE-2020-28899

The Web CGI Script on ZyXEL LTE4506-M606 V1.00ABDO.2C0 devices does not require authentication, which allows remote unauthenticated attackers via crafted JSON action data to /cgi-bin/gui.cgi to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi...

CVE-2021-22976

On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU...

CVE-2020-35131

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI...

CVE-2020-35131

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI...

Korzio Djv 命令注入漏洞

Korzio Djv is Korzio individual developers of a Javascript-based software used to dynamically verify the Json data format . A command injection vulnerability exists in versions prior to djv 2.1.4, which stems from the lack of proper validation of client-side data by the web application. An attack...

CVE-2019-1010083

A flaw was found in python-flask. Unexpected memory usage can occur through specially crafted encoded JSON data. The highest threat from this vulnerability is to system availability. Note, this may overlap CVE-2018-1000656...

Cross-site Scripting (XSS)

gon is vulnerable to cross-site scripting XSS attacks. Lack of sanitization of malicious characters within the JSON data in jsondumper.rb allows a malicious user to inject and execute arbitrary javascript in a user's browser...

Sophos VPN Web Panel 2020 - Denial of Service (Poc)

Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service Poc Date: 2020-06-17 Exploit Author: Berk KIRAS Vendor Homepage: https://www.sophos.com/ Version:2020 Web Panel Tested on: Apache Berk KIRAS PwC - Cyber Security Specialist Sophos VPN Web Portal Denial of Service Vulnerability System...

CVE-2020-13248

BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx...

CVE-2020-13248

BooleBox Secure File Sharing Utility pre-4.2.3.0 suffers a stored XSS vulnerability (CVE-2020-13248) in the My Account avatar data sent to Account.aspx. A crafted avatar field can execute scripts in the affected session. Root cause: insufficient validation of the avatar JSON parameter. The CVE en...

CVE-2020-12725

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

Server side request forgery (ssrf)

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

CVE-2020-12725

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

PT-2020-13229 · Redash · Redash

Name of the Vulnerable Software and Affected Versions: Redash open-source versions 8.0.0 and prior Description: An authenticated Server-Side Request Forgery SSRF was discovered via the JSON data source. This issue provides flexibility in crafting HTTP requests, such as adding headers and selectin...

CVE-2018-21234

Jodd before 5.0.4 is affected by CVE-2018-21234: Deserialization of Untrusted JSON Data when setClassMetadataName is set. The issue stems from how the library handles deserialization, enabling potentially untrusted data to be deserialized. Impact is indicated as high (NVD CVSS v3.1 base score 9.8...

CVE-2018-21234

Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set...

Zephyr Code Execution Vulnerability

Zephyr is an open source, small, scalable real-time operating system from the Linux Foundation. A security vulnerability exists in Zephyr versions 2.1.0 and later and 2.2.0 and later. An attacker can exploit this vulnerability by sending a malformed JSON file to the UpdateHub server to cause a...