26 matches found
EUVD-2019-0159
Malware in sbrugna...
EUVD-2020-0240
Malware in sbrugna...
GHSA-FJQ3-5PXW-4WJ4 Cross-Site Request Forgery in Webargs
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
aiowrpr (>=0.0.1a1 <=0.0.1a7), infiniguard-api (>=1.2.10 <=1.2.11) +5 more potentially affected by CVE-2020-7965 via webargs (>=5.1.1 <=5.5.2)
webargs PYPI version =5.1.1, =0.0.1a1, =1.2.10, =1.1.0b1, =0.3.0, =1.1.0, =0.100.3, =0.1.0, =0.10.0 Source cves: CVE-2020-7965 Source advisory: OSV:GHSA-FJQ3-5PXW-4WJ4...
Cross-Site Request Forgery in Webargs
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
Cross-Site Request Forgery (CSRF)
webargs is vulnerable to cross-site request forgery CSRF. The Content-Type header resolves to application/json when JSON input is received. If the request body is valid JSON, the application accepts it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST reques...
CVE-2020-7965
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
CVE-2020-7965
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
aiowrpr (>=0.0.1a1 <=0.0.1a7), infiniguard-api (>=1.2.10 <=1.2.11) +5 more potentially affected by CVE-2020-7965 via webargs (>=5.1.1 <=5.5.2)
webargs PYPI version =5.1.1, =0.0.1a1, =1.2.10, =1.1.0b1, =0.3.0, =1.1.0, =0.100.3, =0.1.0, =0.10.0 Source cves: CVE-2020-7965 Source advisory: OSV:PYSEC-2020-156...
PYSEC-2020-156
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
PYSEC-2020-156
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
CVE-2020-7965
The CVE-2020-7965 entry concerns the Python Webargs project (flaskparser.py) in the 5.x line up to 5.5.2. Vulnerability detail: the code does not validate that the Content-Type header is application/json when handling JSON input; if the request body is valid JSON, it is accepted even when Content...
CVE-2020-7965
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made...
Webargs mishandles concurrent JSON parsing
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests...
aiohttp-apispec (>=0.7.2 <=0.7.6), pygrest (>=1.0.1 <=1.3.0) +1 more potentially affected by CVE-2019-9710 via webargs (>=1.8.1 <=5.1.2)
webargs PYPI version =1.8.1, =0.7.2, =1.0.1, =0.4.0, =0.100.2rc4 Source cves: CVE-2019-9710 Source advisory: OSV:GHSA-8554-JXCW-454Q...
GHSA-8554-JXCW-454Q Webargs mishandles concurrent JSON parsing
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests...
Insecure Caching
webargs uses insecure caching. Parsed JSON body is stored in a short-lived cache that would cause incorrect JSON payloads to be parsed for concurrent requests due to the cache not being thread-safe...
Design/Logic Flaw
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests...
PYSEC-2019-139
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests...
aiohttp-apispec (>=0.7.2 <=0.7.6), pygrest (>=1.0.1 <=1.3.0) +1 more potentially affected by CVE-2019-9710 via webargs (>=1.8.1 <=5.1.2)
webargs PYPI version =1.8.1, =0.7.2, =1.0.1, =0.4.0, =0.100.2rc4 Source cves: CVE-2019-9710 Source advisory: OSV:PYSEC-2019-139...