Show filters
139 Total Results
Displaying 11-20 of 139
Sort by:
Attacker Value
Unknown
CVE-2024-5060
Disclosure Date: May 24, 2024 (last updated January 05, 2025)
The LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
0
Attacker Value
Unknown
CVE-2024-24786
Disclosure Date: March 05, 2024 (last updated March 06, 2024)
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
0
Attacker Value
Unknown
CVE-2023-5123
Disclosure Date: February 14, 2024 (last updated February 26, 2025)
The JSON datasource plugin ( https://grafana.com/grafana/plugins/marcusolsson-json-datasource/ ) is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing JSON data from a remote endpoint (including a specific sub-path) configured by an administrator. Due to inadequate sanitization of the dashboard-supplied path parameter, it was possible to include path traversal characters (../) in the path parameter and send requests to paths on the configured endpoint outside the configured sub-path.
This means that if the datasource was configured by an administrator to point at some sub-path of a domain (e.g. https://example.com/api/some_safe_api/ ), it was possible for an editor to create a dashboard referencing the datasource which issues queries containing path traversal characters, which would in turn cause the datasource to instead query arbitrary subpaths on the configured domain (e.g. https://exampl…
0
Attacker Value
Unknown
CVE-2022-48623
Disclosure Date: February 13, 2024 (last updated February 26, 2025)
The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.
0
Attacker Value
Unknown
CVE-2023-6268
Disclosure Date: December 26, 2023 (last updated February 25, 2025)
The JSON Content Importer WordPress plugin before 1.5.4 does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
0
Attacker Value
Unknown
CVE-2023-50472
Disclosure Date: December 14, 2023 (last updated February 25, 2025)
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.
0
Attacker Value
Unknown
CVE-2023-50471
Disclosure Date: December 14, 2023 (last updated February 25, 2025)
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.
0
Attacker Value
Unknown
CVE-2023-50773
Disclosure Date: December 13, 2023 (last updated February 25, 2025)
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
0
Attacker Value
Unknown
CVE-2023-50772
Disclosure Date: December 13, 2023 (last updated February 25, 2025)
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
0
Attacker Value
Unknown
CVE-2023-48238
Disclosure Date: November 17, 2023 (last updated February 25, 2025)
joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens (JWT) which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js' file, the algorithm to use for verifying the signature of the JWT token is taken from the JWT token, which at that point is still unverified and thus shouldn't be trusted. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work against this library is the RS256 algorithm is in use, however it is a best practice to use that algorithm.
0