OpenTSDB vulnerable to OS Command Injection

An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q URI can execute commands, including o, key, style, and yrange and y2range and their JSON input...

GHSA-R8RM-4HFJ-2X87 Data Amplification in Play Framework

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input...

CVE-2021-43853

Ajax.NET Professional AjaxPro is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation...

Denial Of Service (DoS)

github.com/tidwall/gjson is vulnerable to denial of service DoS attacks. The vulnerability exists due to improper handling of long running matches in 'parseObject' in 'gjson.go' allowing a malicious user cause an application crash via a crafted json input...

CVE-2020-35131

Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI...

PT-2021-3184 · Gjson · Gjson

Name of the Vulnerable Software and Affected Versions: GJSON versions prior to 1.6.5 Description: The issue is related to an uncontrolled resource consumption in the GJSON library, which can be exploited by a remote attacker using a specially crafted JSON request to cause a denial of service. A...

CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of th...

CVE-2020-26882

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input...

CVE-2020-26882

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input...

Input validation

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input...

CVE-2020-26882

CVE-2020-26882 (Play Framework): Affects Play Framework versions 2.6.0 through 2.8.2. The vulnerability arises when an application accepts multipart/form-data JSON input, causing data amplification. Documents explicitly describe this as a vulnerability in Play Framework, with potential impact on ...

CVE-2020-26882

In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input...

Information Disclosure

js-bson is vulnerable to information disclosure. The library does not properly handle JSON input which results in incorrect serialization of BSON. This can lead to unexpected application behavior such as information disclosure...

Cross site request forgery (csrf)

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

CVE-2020-7965

The CVE-2020-7965 entry concerns the Python Webargs project (flaskparser.py) in the 5.x line up to 5.5.2. Vulnerability detail: the code does not validate that the Content-Type header is application/json when handling JSON input; if the request body is valid JSON, it is accepted even when Content...

CVE-2020-7965

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

Prototype Pollution

jpv is vulnerable to prototype pollution. Insufficient validation of JSON input allows the bypass of the validation logics of jpv. The built-in constructor can be overwritten to manipulate the type detection result...

CVE-2019-1002100

A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service. Mitigation Remove ‘patch’ permissions from untruste...

jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.

A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files...

MozDef - Mozilla Enterprise Defense Platform

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to...