CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4742 – json-pointer index.js set prototype pollution
https://notcve.org/view.php?id=CVE-2022-4742
26 Dec 2022 — A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. Upgrading to version 0.6.2 is able to address this issue. • https://github.com/manuelstofer/json-pointer/commit/859c9984b6c407fc2d5a0a7e47c7274daa681941 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 3CVE-2022-45688
https://notcve.org/view.php?id=CVE-2022-45688
13 Dec 2022 — A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. Un desbordamiento de pila en el componente XML.toJSONObject de hutool-json v5.8.10 permite a los atacantes provocar una Denegación de Servicio (DoS) a través de datos JSON o XML manipulados. • https://github.com/scabench/jsonorg-tp1 • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41714
https://notcve.org/view.php?id=CVE-2022-41714
03 Nov 2022 — fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. La versión 1.0.1 de Fast-Json-copy permite a un atacante externo editar o agregar nuevas propiedades a un objeto. Esto es posible porque la aplicación no valida correctamente las claves JSON entrantes, permitiendo así editar la propiedad '__proto__'. • https://fluidattacks.com/advisories/guetta • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42743
https://notcve.org/view.php?id=CVE-2022-42743
03 Nov 2022 — deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. La versión 1.0.2 de deep-parse-json permite a un atacante externo editar o agregar nuevas propiedades a un objeto. Esto es posible porque la aplicación no valida correctamente las claves JSON entrantes, permitiendo así editar la propiedad '__proto__'. • https://fluidattacks.com/advisories/buuren • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38882
https://notcve.org/view.php?id=CVE-2022-38882
19 Sep 2022 — The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0. d8s-json para python, tal y como es distribuido en PyPI, incluía una potencial puerta trasera de ejecución de código insertada por un tercero. La puerta trasera es el paquete democritus-strings. La versión afectada es 0.1.0 • https://github.com/democritus-project/d8s-json/issues/9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25921 – Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2022-25921
29 Aug 2022 — All versions of package morgan-json are vulnerable to Arbitrary Code Execution due to missing sanitization of input passed to the Function constructor. Todas las versiones del paquete morgan-json son vulnerables a una Ejecución Arbitraria de Código debido a una falta de saneo de la entrada pasada al constructor de la función • https://github.com/indexzero/morgan-json/blob/3a76010215a4256d41687d082cd66c4f00ea5717/index.js%23L46 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23460 – Stack overflow in Jsonxx
https://notcve.org/view.php?id=CVE-2022-23460
19 Aug 2022 — Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. • https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx • CWE-121: Stack-based Buffer Overflow CWE-674: Uncontrolled Recursion •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23459 – Double free or Use after Free in Value class of Jsonxx
https://notcve.org/view.php?id=CVE-2022-23459
19 Aug 2022 — Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. • https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx • CWE-415: Double Free CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36010 – Arbitrary code execution via function parsing in react-editable-json-tree
https://notcve.org/view.php?id=CVE-2022-36010
15 Aug 2022 — This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be execute... • https://github.com/oxyno-zeta/react-editable-json-tree/releases/tag/2.2.2 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30241
https://notcve.org/view.php?id=CVE-2022-30241
04 May 2022 — The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. jquery.json-viewer library versiones hasta 1.4.0 para Node.js no escapa correctamente los caracteres como < en un objeto JSON, como lo demuestra un elemento SCRIPT • https://github.com/abodelot/jquery.json-viewer/pull/26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •