PT-2021-2239 · Moodle +1 · Moodle +1

Name of the Vulnerable Software and Affected Versions: Moodle versions prior to 3.10.1 Moodle versions prior to 3.9.4 Moodle versions prior to 3.8.7 Moodle versions prior to 3.5.16 Description: The issue is related to insufficient cleaning of user-provided data in the TeX notation filter of the...

QuantConnect Lean Code Issue Vulnerability

Quantconnect Lean is a cross-platform algorithmic trading engine for strategy research, backtesting and real-time trading based on the C language from Quantconnect. A security vulnerability exists in QuantConnect Lean versions 2.3.0.0 through 2.4.0.1, which stems from a failure to securely...

F5 BIG-IP ASM 资源管理错误漏洞

F5 BIG-IP ASM is a Web Application Firewall WAF from F5 USA that provides secure remote access, protects email, and simplifies Web access control while enhancing network and application performance. A denial of service vulnerability exists in F5 BIG-IP ASM, which can be exploited by an attacker t...

CVE-2020-27196

An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint that may or may not expect JSON payloads causes a StackOverflowError and Denial of...

Design/Logic Flaw

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none...

CVE-2020-16240

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference IDOR vulnerability allows user account data to be downloaded in JavaScript object notation JSON format by users who should not have access to such functionality. An attacker can download sensitive data related to...

Prototype Pollution in acstll/deep-get-set

Description deep-set-get is a Set and get values on objects via dot-notation strings. This package is vulnerable to prototype pollution. POC const deep = require'deep-get-set'; deep,'proto','polluted',true; console.logpolluted;...

DEBIAN-CVE-2020-15366

An issue was discovered in ajv.validate in Ajv aka Another JSON Schema Validator 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a...

Redash Code Issues Vulnerabilities

Redash is a set of data integration and analysis solutions from Redash Israel. The product supports data integration, data visualization, query editing and data sharing. A code issue vulnerability exists in the 'JSON' data source in Redash open-source 8.0.0 and prior versions, which arises from...

thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data...

USN-4360-1 json-c vulnerability

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code...

Concrete CMS: SSRF bypass

This simply describes a bypass for report at https://hackerone.com/reports/243865, using a decimal notation encoded IP address 0177.0.0.1 currently bypasses the limitations in place for localhost. crayons re-submitting report including "magic" string Concrete5 version used is 8.5.2 Impact...

DEBIAN-CVE-2020-10663

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsi...

perl-Convert-ASN1 Denial of Service Vulnerability

Perl is a general-purpose, interpreted, dynamic cross-platform programming language from the Perl community. A security vulnerability exists in perl-Convert-ASN1 0.27 and earlier versions, which stems from the program's unsafe decoding of user input. A remote attacker can exploit the vulnerabilit...

Prototype Pollution

Overview eivindfjeldstad-dot is a module that Gets and sets object properties with dot notation. Note: this package has been deprecated and moved into @eivifj/dot. Affected versions of this package are vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying...

Prototype Pollution

Overview @eivifj/dot is a module that gets and sets object properties with dot notation. Affected versions of this package are vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying properties of Object.prototype using a proto payload. PoC var a =...

[SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31

Create nested values and any intermediaries using dot notation a.b.c path s...

[SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30

Create nested values and any intermediaries using dot notation a.b.c path s...

PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...

PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...