CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1370 – Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON
https://notcve.org/view.php?id=CVE-2023-1370
13 Mar 2023 — [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. A flaw was found in the json-smart package. • https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633 • CWE-674: Uncontrolled Recursion •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4329 – json-logic-js logic.js command injection
https://notcve.org/view.php?id=CVE-2021-4329
05 Mar 2023 — A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch is identified as c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227. • https://github.com/jwadhams/json-logic-js/commit/c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25485 – WordPress JSON Content Importer Plugin <= 1.3.15 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25485
15 Feb 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bernhard Kux JSON Content Importer plugin <= 1.3.15 versions. The JSON Content Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an inje... • https://patchstack.com/database/vulnerability/json-content-importer/wordpress-json-content-importer-plugin-1-3-15-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23088
https://notcve.org/view.php?id=CVE-2023-23088
03 Feb 2023 — Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function. • https://github.com/Barenboim/json-parser/issues/7 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45491
https://notcve.org/view.php?id=CVE-2022-45491
03 Feb 2023 — Buffer overflow vulnerability in function json_parse_value in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-55fm-gm4m-3v3j • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45492
https://notcve.org/view.php?id=CVE-2022-45492
03 Feb 2023 — Buffer overflow vulnerability in function json_parse_number in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-r9wh-hxqh-3xq7 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45496
https://notcve.org/view.php?id=CVE-2022-45496
03 Feb 2023 — Buffer overflow vulnerability in function json_parse_string in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-29hf-wrjw-2f28 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45493
https://notcve.org/view.php?id=CVE-2022-45493
03 Feb 2023 — Buffer overflow vulnerability in function json_parse_key in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. • https://github.com/hyrathon/trophies/security/advisories/GHSA-r2mm-2f4c-6243 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45494
https://notcve.org/view.php?id=CVE-2022-45494
31 Jan 2023 — Buffer overflow vulnerability in function json_parse_object in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. Vulnerabilidad de desbordamiento de búfer en la función json_parse_object en sheredom json.h antes de el commit 0825301a07cbf51653882bf2b153cc81fdadf41 (14 de noviembre de 2022) permite a los atacantes codificar código arbitrario y obtener privilegios aumentados. • https://github.com/hyrathon/trophies/security/advisories/GHSA-wvpq-p7pp-cj6m • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-10004 – Timing side-channel in github.com/robbert229/jwt
https://notcve.org/view.php?id=CVE-2015-10004
27 Dec 2022 — Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC. Los métodos de validación de tokens son susceptibles a un canal lateral de temporización durante la comparación HMAC. Con una cantidad suficientemente grande de solicitudes a través de una conexión de baja latencia, un atacante puede usar esto para determinar el HMAC esperado. • https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654 • CWE-668: Exposure of Resource to Wrong Sphere •