Moderate severityNVD Advisory· Published Jul 29, 2013· Updated Jun 16, 2026
CVE-2013-3300
CVE-2013-3300
Description
The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.liftweb:lift-webkitMaven | >= 0 | — |
net.liftweb:lift-webkit_2.7.7Maven | >= 0 | — |
net.liftweb:lift-webkit_2.8.0Maven | >= 0 | — |
net.liftweb:lift-webkit_2.8.1Maven | >= 0 | — |
net.liftweb:lift-webkit_2.8.2Maven | >= 0 | — |
net.liftweb:lift-webkit_2.9.0Maven | >= 0 | — |
net.liftweb:lift-webkit_2.9.0-1Maven | >= 0 | — |
net.liftweb:lift-webkit_2.9.1Maven | < 2.5 | 2.5 |
Affected products
19cpe:2.3:a:liftweb:lift:2.1:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:liftweb:lift:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:m4:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc3:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc4:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc5:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:*:rc6:*:*:*:*:*:*range: <=2.5
- ghsa-coords8 versionspkg:maven/net.liftweb/lift-webkitpkg:maven/net.liftweb/lift-webkit_2.7.7pkg:maven/net.liftweb/lift-webkit_2.8.0pkg:maven/net.liftweb/lift-webkit_2.8.1pkg:maven/net.liftweb/lift-webkit_2.8.2pkg:maven/net.liftweb/lift-webkit_2.9.0pkg:maven/net.liftweb/lift-webkit_2.9.0-1pkg:maven/net.liftweb/lift-webkit_2.9.1
>= 0+ 7 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 2.5
Patches
Vulnerability mechanics
References
4- blog.addepar.com/2013/07/an-atypical-web-vulnerability.htmlnvdExploitWEB
- github.com/lift/framework/commit/099d9c86cf6d81f4953957add478ab699946e601nvdExploitPatchWEB
- github.com/advisories/GHSA-jf9v-fxfq-wm76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-3300ghsaADVISORY
News mentions
0No linked articles in our index yet.