CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11040

CVE-2018-11040 affects Spring Framework: 5.0.x before 5.0.7 and 4.3.x before 4.3.18 (and older unsupported versions). The issue arises because JSONP support can be enabled via JSONP parameters when MappingJackson2JsonView is configured, allowing cross-domain requests through AbstractJsonpResponse...

Cross-Domain Request Through Insecure JSONP Defaults

spring-webmvc is vulnerable to cross-domain requests. The vulnerability exists as JSONP is enabled through the jsonp and callback JSONP parameters in MappingJackson2JsonView by default...

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...

Design/Logic Flaw

totemomail Encryption Gateway before 6.0b567 allows remote attackers to obtain sensitive information about user sessions and encryption key material via a JSONP hijacking attack...

CVE-2018-6562

totemomail Encryption Gateway before 6.0b567 allows remote attackers to obtain sensitive information about user sessions and encryption key material via a JSONP hijacking attack...

CVE-2018-6562

totemomail Encryption Gateway before 6.0b567 allows remote attackers to obtain sensitive information about user sessions and encryption key material via a JSONP hijacking attack...

CVE-2018-6562

totemomail Encryption Gateway before 6.0b567 allows remote attackers to obtain sensitive information about user sessions and encryption key material via a JSONP hijacking attack...

CVE-2018-6562

The CVE-2018-6562 entry concerns totemomail Encryption Gateway prior to 6.0_b567, where a JSONP hijacking vulnerability allows remote attackers to obtain sensitive information about user sessions and encryption key material. Public sources describe this as a remote, web-facing information-disclos...

Totemomail Encryption Gateway 6.0.0_Build_371 JSONP Hijacking

COMPASS SECURITY ADVISORY https://www.compass-security.com/research/advisories/ Product: totemomail Encryption Gateway Vendor: totemo AG CSNC ID: CSNC-2018-002 CVE ID: CVE-2018-6562 Subject: JSONP hijacking Risk: High Effect: Remotely exploitable Author: Nicolas Heiniger Date: 14.05.2018...

Shopware 5.3.7 Cross Site Request Forgery Vulnerability

Shopware versions 4.0.1 through 5.3.7 suffer from a cross site request forgery vulnerability. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart. Shopware Cart Accessible by Third-Party Websites RedTeam Pentesting discovered that the shopping car...

Shopware 5.3.7 Cross Site Request Forgery

Advisory: Shopware Cart Accessible by Third-Party Websites RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart. Details ======= Product: Shopware...

CVE-2018-6835

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions...

CVE-2018-6835

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions...

Design/Logic Flaw

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions...

CVE-2018-6835

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions...

CVE-2018-6835

Etherpad Lite before v1.6.3 contains a vulnerability in node/hooks/express/apicalls.js where JSONP is mishandled, allowing remote attackers to bypass intended access restrictions. The issue is tied to CVE-2018-6835. Affected software/version details from connected sources indicate the fix was rel...

Code injection

Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the...

CVE-2018-6460

Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the...