Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection `net.liftweb:lift-json_2.9.1` Lift 2.5.1 was found to be vulnerable to XML External Entity attacks, which can leak private files through your application when parsing certain types of XML. In the process of communicating the vulnerability to Typesafe, they referred us to a more-restricted version of XML parsing used to prevent additional vulnerabilities like the billion laughs vulnerability and its sibling quadratic blowup vulnerability.	[,2.5.3)
M Information Exposure `net.liftweb:lift-json_2.9.1` The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.	[,2.5-RC3)

XML External Entity (XXE) Injection

net.liftweb:lift-json_2.9.1 Lift 2.5.1 was found to be vulnerable to XML External Entity attacks, which can leak private files through your application when parsing certain types of XML. In the process of communicating the vulnerability to Typesafe, they referred us to a more-restricted version of XML parsing used to prevent additional vulnerabilities like the billion laughs vulnerability and its sibling quadratic blowup vulnerability.

[,2.5.3)

Information Exposure

net.liftweb:lift-json_2.9.1 The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.

[,2.5-RC3)

Go back to all versions of this package