31 matches found
GHSA-5C5F-7VFQ-3732 JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
JMESPath for Ruby using JSON.load instead of JSON.parse
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
CVE-2022-32511
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
CVE-2022-32511
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
Design/Logic Flaw
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
CVE-2022-32511
CVE-2022-32511 affects the Ruby gem jmespath.rb (JMESPath for Ruby)
CVE-2022-32511
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
GHSA-7QM6-9V49-38M9 Prototype Pollution in record-like-deep-assign
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. PoC js const deepAssign = require'record-like-deep-assign'; let obj = ; console.log"Before being polluted: " + obj.polluted; EVILJSON = JSON.parse'"proto":"polluted":true'; deepAssign...
GHSA-5PXJ-MHWJ-X5GV Prototype Pollution in asciitable.js
The package asciitable.js before 1.0.3 is vulnerable to Prototype Pollution via the main function. PoC js var a = require"asciitable.js"; var b = JSON.parse'"proto":"test":123'; a,b; console.log.test...
Prototype Pollution in asciitable.js
The package asciitable.js before 1.0.3 is vulnerable to Prototype Pollution via the main function. PoC js var a = require"asciitable.js"; var b = JSON.parse'"proto":"test":123'; a,b; console.log.test...
Prototype Pollution in babak-gholamzadeh/deeply-object-assign
Description deeply-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var deeplyObjectAssign = require"deeply-object-assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " +...
Prototype Pollution
merge is vulnerable to prototype pollution. A bypass of the fix for CVE-2018-16469 exists and allows arbitrary properties of the Object prototype to be added or modified via JSON.parse...
HTML Injection in preact
Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input...
CVE-2020-24345
JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...
CVE-2020-24345
JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...
CVE-2020-24345
JerryScript through 2.3.0 allows stack consumption via function anew new Proxya,JSON.parse"",a. NOTE: the vendor states that the problem is the lack of the --stack-limit option...
HTML Injection
Overview Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires us...
Remote Code Execution (RCE)
ruby is vulnerable to remote code execution RCE attacks. The vulnerability exists due to a heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of servi...
Prototype Pollution
defaults-deep is vulnerable to prototype pollution. Properties of the Object prototype can be added or modified via JSON.parse, causing a denial of service condition or possibly remote code execution depending on the application...
Regular Expression Denial of Service in parsejson
Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in...