Poppingsnack

**Name of the Vulnerable Software and Affected Versions** mvel2 version 2.5.0 Final **Description** A TimeOut error exists in the `ParseTools.subCompileExpression` method due to many Java class lookups, potentially causing a long execution time. The vendor disputes the significance of this issue, stating that the only expected consequence is a significant delay in the parser completing its task. **Recommendations** For mvel2 version 2.5.0 Final, consider applying optimization techniques to reduce the number of Java class lookups in the `ParseTools.subCompileExpression` method to mitigate the risk of a TimeOut error. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** json-path version 2.8.0 **Description** The issue is related to a stack overflow in the `Criteria.parse()` method of the json-path library. This can potentially allow a remote attacker to cause a denial of service. **Recommendations** For json-path version 2.8.0, consider disabling the `Criteria.parse()` method as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jtidy versions thru r938 **Description** The issue is related to a stack overflow error in the jtidy library, which is used for cleaning and validating HTML code. Exploitation of this issue can allow a remote attacker to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For jtidy versions thru r938, consider disabling the use of cyclic dependencies in crafted objects until a patch is available. As a temporary workaround, restrict the use of jtidy library to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** json-io versions 4.14.0 and earlier **Description** An issue was discovered that allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For json-io versions 4.14.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mjson versions 1.4.1 and earlier **Description** An issue allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For mjson versions 1.4.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ph-json versions 9.5.5 and earlier **Description** An issue allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For versions 9.5.5 and earlier, consider disabling the handling of cyclic dependencies in objects as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sojo versions 1.1.1 and earlier **Description** An issue allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For sojo versions 1.1.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JSONUtil versions 5.0 and earlier **Description** An issue was discovered in JSONUtil that allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies or have deeply nested structures. **Recommendations** For JSONUtil versions 5.0 and earlier, as a temporary workaround, consider restricting the use of crafted objects with cyclic dependencies or deeply nested structures until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pbjson versions 0.4.0 and earlier **Description** An issue allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. **Recommendations** For versions 0.4.0 and earlier, consider disabling the use of cyclic dependencies in objects until a patch is available. As a temporary workaround, restrict the processing of crafted objects to minimize the risk of exploitation. Avoid using pbjson for parsing objects with cyclic dependencies until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** genson versions 1.6 and earlier **Description** An issue allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies or have deeply nested structures. **Recommendations** For genson versions 1.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hjson versions 3.0.0 and earlier **Description** An issue in hjson allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies or have deeply nested structures. **Recommendations** For hjson versions 3.0.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jjson versions 0.1.7 and earlier **Description** An issue in jjson allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies or have deeply nested structures. **Recommendations** For jjson versions 0.1.7 and earlier, as a temporary workaround, consider disabling the use of deeply nested structures and cyclic dependencies in crafted objects until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jackson-databind versions 2.12.0 through 2.15.2 **Description** The issue in jackson-databind is related to unlimited resource allocation, which can be exploited to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. **Recommendations** For jackson-databind versions 2.12.0 through 2.15.2, consider disabling the serialization of cyclic data structures as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HtmlCleaner versions 2.28 and earlier **Description** The issue allows attackers to cause a denial of service or other unspecified impacts via a crafted object that uses cyclic dependencies. It is related to a buffer overflow in memory, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For HtmlCleaner versions 2.28 and earlier, update to a version later than 2.28 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Janino versions 3.1.9 and earlier **Description** The issue allows for denial of service (DOS) attacks when using the `evaluator.guess` parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow. It is noted that this is disputed by multiple parties because Janino is not intended for use with untrusted input. **Recommendations** For Janino versions 3.1.9 and earlier, as a temporary workaround, consider restricting the use of the `evaluator.guess` parameter name method until a patch is available. Avoid running the parser on user-supplied input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hawtio version 2.17.2 **Description** The issue allows an attacker to input malicious zip files, which can result in high-risk files after decompression being stored in any location, potentially leading to file overwrite. This is due to a Path Traversal vulnerability. **Recommendations** For hawtio version 2.17.2, consider restricting the input of zip files or implementing validation to prevent malicious files from being decompressed and stored in sensitive locations. As a temporary workaround, avoid using the zip file upload feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pandao editor.md versions 1.5.0 and earlier **Description** The issue allows attackers to inject arbitrary web script or HTML via crafted markdown text, which can lead to Cross Site Scripting (XSS) attacks. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For pandao editor.md versions 1.5.0 and earlier, consider disabling the markdown text parsing functionality until a patch is available. Restrict access to the editor.md module to minimize the risk of exploitation. Avoid using crafted markdown text in the affected pandao editor.md versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PerfreeBlog version 3.1.2 **Description** The issue is a Cross Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via the Post function. This enables attackers to potentially inject malicious scripts into the website, affecting user sessions. **Recommendations** For PerfreeBlog version 3.1.2, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the Post function until a patch is available. Avoid using the Post function in a way that could allow arbitrary code execution until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Antabot White-Jotter version 0.2.2 **Description** The issue allows remote attackers to execute malicious code via the `file` parameter to the `coversUpload` function. This enables attackers to upload malicious files, potentially leading to code execution. **Recommendations** For Antabot White-Jotter version 0.2.2, consider disabling the `coversUpload` function until a patch is available to prevent remote attackers from executing malicious code. Restrict access to the file upload feature to minimize the risk of exploitation. Avoid using the `file` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZHENFENG13 My-Blog (affected versions not specified) **Description** A cross site scripting (XSS) issue allows attackers to inject arbitrary web script or HTML via the `title` field in the "blog management" page due to the default configuration not using `MyBlogUtils.cleanString`. This enables attackers to execute malicious scripts on the website. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.