MISP 跨站脚本漏洞

MISP is an open source software solution. The product is used to collect, store, distribute, and share network security metrics, and has features such as threat network security event analysis and malware analysis. A cross-site scripting vulnerability exists in MISP, which stems from...

Apache CXF 资源管理错误漏洞

Apache CXF is the United States Apache Apache Foundation's an open source Web services framework. The framework supports multiple Web service standards, multiple front-end programming APIs, etc. Apache CXF has a resource management error vulnerability that can be exploited by an attacker to submi...

GHSA-8H2J-CGX8-6XV7 Cross-Site Request Forgery (CSRF) in FastAPI

Impact FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery CSRF attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if...

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in WordPress Goto WordPress theme prior to version 2.1,...

GHSA-8RF5-92JH-3VC9 Uncaught Exception leading to Denial of Service in json-sanitizer

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations...

Bryan Davis analytics-quarry-web 跨站脚本漏洞

Wikimedia Quarry analytics-quarry-web is an open source application. Wikimedia Quarry analytics-quarry-web is vulnerable to a cross-site scripting vulnerability. The vulnerability stems from the fact that app.py does not explicitly set the application json content type. No details of the...

GHSA-FJQ3-5PXW-4WJ4 Cross-Site Request Forgery in Webargs

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

Npm is-my-json-valid 资源管理错误漏洞

Npm is-my-json-valid is an application of the United States Npm . A JSONSchema is very fast to validate using a code generation mechanism. A resource management error vulnerability exists in is-my-json-valid, which stems from the use of an inefficient regular expression to validate a JSON field...

VulnCheck KEV: CVE-2020-7961

Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services...

QuantConnect Lean Code Issue Vulnerability

Quantconnect Lean is a cross-platform algorithmic trading engine for strategy research, backtesting and real-time trading based on the C language from Quantconnect. A security vulnerability exists in QuantConnect Lean versions 2.3.0.0 through 2.4.0.1, which stems from a failure to securely...

F5 BIG-IP ASM 资源管理错误漏洞

F5 BIG-IP ASM is a Web Application Firewall WAF from F5 USA that provides secure remote access, protects email, and simplifies Web access control while enhancing network and application performance. A denial of service vulnerability exists in F5 BIG-IP ASM, which can be exploited by an attacker t...

CVE-2020-16240

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference IDOR vulnerability allows user account data to be downloaded in JavaScript object notation JSON format by users who should not have access to such functionality. An attacker can download sensitive data related to...

DEBIAN-CVE-2020-15366

An issue was discovered in ajv.validate in Ajv aka Another JSON Schema Validator 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a...

Redash Code Issues Vulnerabilities

Redash is a set of data integration and analysis solutions from Redash Israel. The product supports data integration, data visualization, query editing and data sharing. A code issue vulnerability exists in the 'JSON' data source in Redash open-source 8.0.0 and prior versions, which arises from...

thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data...

DEBIAN-CVE-2020-10663

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsi...

PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

DEBIAN-CVE-2019-5064

An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, before version 4.2.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution. An attacker can provide a...

kube-apiserver: DoS with crafted patch of type json-patch

A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service...