101 matches found
Data Amplification in Play Framework
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...
CVE-2021-32677 Cross-Site Request Forgery (CSRF) in FastAPI
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery CSRF attack. I...
GHSA-PMQP-H87C-MR78 XML Entity Expansion and Improper Input Validation in Kubernetes API server
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming...
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming...
Design/Logic Flaw
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-...
CVE-2021-23010
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-...
CVE-2021-23010
CVE-2021-23010 affects BIG-IP ASM/Advanced WAF: when processing WebSocket requests with JSON payloads using the default JSON Content Profile, the BIG-IP ASM bd process may produce a core file. Affected versions include 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x b...
Code injection
On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU...
CVE-2020-28923
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...
CVE-2020-28923
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...
CVE-2020-28923
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...
Design/Logic Flaw
A vulnerability in the user management functionality of Cisco IoT Field Network Director FND could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could...
CVE-2020-26080 Cisco IoT Field Network Director Improper Domain Access Control Vulnerability
A vulnerability in the user management functionality of Cisco IoT Field Network Director FND could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could...
CVE-2020-26080 Cisco IoT Field Network Director Improper Domain Access Control Vulnerability
A vulnerability in the user management functionality of Cisco IoT Field Network Director FND could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could...
Denial Of Service (DoS)
play is vulnerable to denial of service DoS. The vulnerability exists as JSON payloads uploaded as a form field causes data amplification...
GHSA-V9WP-8R97-V6XG Cross-Site Scripting in jquery.json-viewer
Versions of jquery.json-viewer prior to 1.3.0 are vulnerable to Cross-Site Scripting XSS. The package insufficiently sanitizes user input when creating links, and concatenates the user input in an tag. This allows attackers to create malicious links with JSON payloads such as: "foo":...
CVE-2019-11253
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming...
50m-ctf: `Cody trolled us all` h1-702 CTF write-up
Premise I use not to play CTF challenges because they usually absorb me entirely. I cannot think of anything else but "I want that flag!". That said, this is going to be a long story: no princess, no dragoons, only a tweet. https://twitter.com/Hacker0x01/status/1100543680383832065 Level 0 - Nothi...
Security Bulletin: IBM API Connect is affected by a denial of service vulnerability via large JSON payloads (CVE-2018-1779)
Summary API Connect has addressed the following vulnerability. The management microservice in API Connect version 2018.1 through 2018.3.7 is vulnerable to denial of service attacks via large JSON payloads. An attacker can flood the management service with unauthenticated api requests with large...
Denial of Service vulnerability with large JSON payloads in fastify
Affected versions of fastify are vulnerable to a denial of service when processing a request with Content-Type set to application/json and a very large payload. Recommendation Update to version 0.38.0 or later...