44 matches found
Fastify denial-of-service vulnerability with large JSON payloads
Overview Affected versions of fastify are vulnerable to a denial of service when processing a request with Content-Type set to application/json and a very large payload. Recommendation Update to version 0.38.0 or later. References - Commit fabd2a0 - HackerOne Report 303632 - GitHub Advisory...
WakaTime: JSON CSRF on POST Heartbeats API
Thanks @sp1d3rs! WakaTime API used JSON for communications and supported cookie-based authentication/CSRF protection on https://api.wakatime.com. Usually, JSON is CSRF-safe, but only when requests with content-type other than application/json gets rejected or additional CSRF protection is in plac...
Fedora 23 : kubernetes-1.2.0-0.15.alpha6.gitf0cd09a.fc23 (2016-a89f5ce5f4)
Update to origin 1.1.3, disable v1beta1, v1beta3, fix application/json content type, don't let hyperkube to parse flags for all commands make it optional ---- Update to origin 1.1.3, disable v1beta1, v1beta3, fix application/json content type, don't let hyperkube to parse flags ---- Update to...
devel/ipython -- remote execution
Kyle Kelley reports: Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects use...