DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2019-11358", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2019-11358", "description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", "published": "2019-04-20T00:29:00", "modified": "2023-08-31T03:15:00", "epss": [{"cve": "CVE-2019-11358", "epss": 0.02952, "percentile": 0.89598, "modified": "2023-09-07"}], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358", "reporter": "cve@mitre.org", "references": ["https://www.drupal.org/sa-core-2019-006", "https://snyk.io/vuln/SNYK-JS-JQUERY-174006", "https://github.com/jquery/jquery/pull/4333", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b", "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://backdropcms.org/security/backdrop-sa-core-2019-009", "https://www.debian.org/security/2019/dsa-4434", "https://seclists.org/bugtraq/2019/Apr/32", "http://www.securityfocus.com/bid/108023", "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/", "https://seclists.org/bugtraq/2019/May/18", "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", "http://seclists.org/fulldisclosure/2019/May/13", "http://seclists.org/fulldisclosure/2019/May/11", "http://seclists.org/fulldisclosure/2019/May/10", "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", "http://www.openwall.com/lists/oss-security/2019/06/03/2", "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", "https://access.redhat.com/errata/RHSA-2019:1456", "https://www.debian.org/security/2019/dsa-4460", "https://seclists.org/bugtraq/2019/Jun/12", "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "https://access.redhat.com/errata/RHBA-2019:1570", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E", "https://access.redhat.com/errata/RHSA-2019:2587", "https://security.netapp.com/advisory/ntap-20190919-0001/", "https://access.redhat.com/errata/RHSA-2019:3023", "https://access.redhat.com/errata/RHSA-2019:3024", "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", "https://www.synology.com/security/advisory/Synology_SA_19_19", "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", "https://www.tenable.com/security/tns-2019-08", "https://www.oracle.com/security-alerts/cpujan2020.html", "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html", "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html", "https://www.tenable.com/security/tns-2020-02", "https://www.oracle.com/security-alerts/cpuapr2020.html", "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E", "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E", "https://www.oracle.com/security-alerts/cpujul2020.html", "https://www.oracle.com/security-alerts/cpuoct2020.html", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", "https://www.oracle.com/security-alerts/cpujan2021.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1", "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"], "cvelist": ["CVE-2019-11358"], "immutableFields": [], "lastseen": "2023-09-07T22:31:11", "viewCount": 1089, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:4670", "ALSA-2020:4847"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2019-11358"]}, {"type": "altlinux", "idList": ["19D9D4CF9E621238B64E7009C574A2B2", "B3637B4143317F3EF89506F8A87A1616"]}, {"type": "amazon", "idList": ["ALAS2-2020-1519", "ALAS2-2023-1905"]}, {"type": "archlinux", "idList": ["ASA-201906-2"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BSERV-11753", "ATLASSIAN:CRUC-8408", "ATLASSIAN:FE-7196", "ATLASSIAN:JRASERVER-69725", "ATLASSIAN:JRASERVER-70929", "BSERV-11753", "CRUC-8408", "FE-7196", "JRASERVER-69725"]}, {"type": "attackerkb", "idList": ["AKB:5C46E63B-643E-4656-B654-4FBA061ECF66"]}, {"type": "centos", "idList": ["CESA-2020:3936"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0561"]}, {"type": "cnvd", "idList": ["CNVD-2023-07750"]}, {"type": "cve", "idList": ["CVE-2019-5428"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1777-1:55799", "DEBIAN:DLA-1797-1:1A7B8", "DEBIAN:DLA-1797-1:A2877", "DEBIAN:DLA-2118-1:5E0A4", "DEBIAN:DSA-4434-1:82FB6", "DEBIAN:DSA-4434-1:D2F07", "DEBIAN:DSA-4460-1:50632"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-11358"]}, {"type": "drupal", "idList": ["DRUPAL-SA-CORE-2019-006"]}, {"type": "f5", "idList": ["F5:K20455158"]}, {"type": "fedora", "idList": ["FEDORA:0E6FD60E1861", "FEDORA:10ED96049C48", "FEDORA:11C9F606DF50", "FEDORA:2B920607600F", "FEDORA:320386075B54", "FEDORA:3230260BA78B", "FEDORA:3787360525AF", "FEDORA:3F234602D69C", "FEDORA:438D16045644", "FEDORA:4A1276046F94"]}, {"type": "freebsd", "idList": ["3C5A4FE0-9EBB-11E9-9169-FCAA147E860E", "FFC73E87-87F0-11E9-AD56-FCAA147E860E"]}, {"type": "github", "idList": ["GHSA-6C3J-C64M-QHGQ"]}, {"type": "githubexploit", "idList": ["2B8C7714-D2D7-50C4-BEB8-B616BD51A554", "B38C8387-765B-587E-BBED-9336E586B3E2", "C0148A2C-75C9-5375-AE2F-DBEDCCD0999F", "C7E2EC97-A49D-5063-BC43-995A0E058FCF", "E83D6606-6F89-5700-B703-B87CF90D6565"]}, {"type": "hackerone", "idList": ["H1:454365"]}, {"type": "ibm", "idList": ["02208B95DC0377482AA2F9D9C05755BE90534C1B3F7475FC805AC14769FE9106", "0251DBCB96D0ED10DA628D06B0978F8DE5AB5BDFE82E017184802BFCC0709826", "1409CD05A45669BF88F7CEAB610D65B1F84FD0522659550C3AD802B5214CCF7A", "167951D4CB6682B161C7C63B81A840E45EF18CAE83E9A3ED32C423308A35D68F", "18F70AA47E2E43F4DA8767A4A95C24F6E49AC9CA2DA52A0DD0B10595AB37B715", "20372756D0D4D41E4530AE121905256C2AF155E987D21A7B2CC7D85274A6AE1D", "2955FD677307C59BC4E381D8CA0275D629803259C2176CE4E845D6B42BA2E178", "2FBA4A0FB6AAAC5B96D5638614DE0F0DD6C37754E93BCB6DD5A92FF9E1771D92", "32A552C9D601D5556D9E77A4710C33359E9E59554828DF5DF32E88FA7D8B12FD", "3669E45D7FE2AA83192FF44FAA60FB349B5D39469F2B30F7D69463B2868B4908", "46CE56C60CF59C2CE96E832E3949D9036A709BD9A0B3F2E5A02B11F84C34294E", "5102E26F5F9D162F10D7A53504320571C340046D1DC087AD20DBEB386B11F545", "57AE760DFB50538BE1F8A0AE6498718A547B70C0FEC4480282AF8A01140729ED", "6227E56DAD73769F0362D834B90EB9B1D9A60C3227B1A4516F314052662E33C8", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "6BA70D78F086D07D5D04D35657C565B766597C9DE86C3B8D586D271713B4D89A", "6BC9040B51F3B0282E132873A0D807E58D8450D20237A38329B62B37AB7F1BD6", "759B56FD4AA17873CFEF240471D53E2CE3CC4A7775D72A8FF17D44E868820C96", "7673ECA7C26C82F326589C66582D68F7F87357B4FB250AD73DE7E7F5EC924344", "7C6822723C8DED69D9FBC4D1DC69A54DC5A848CD239869AB0C90FC327D194CAA", "7D67D80D4B93C266A649B84CAFDD0C7C0525E4EF25DE3D86F84615A02E71F9A3", "7E1CB2FDA212C7A8FC0CCD8803720285F00C1F62F3E2628C7217A85BFA5FFBC8", "807F02BF5D04D1D709B1D383A56D073A3E2ABB5E058B819FF145C9C80E083AF4", "88982C3BC765C275837ADC018CDBF4C480BAB80750C3DC007054B3AED0A5724E", "93A2C56B0AB96E65E4360EC6548816D3C33DE282AFCF4BF7B723C6CAF3370854", "93FB43619692E9A4D81819FDEE2EC14BE9B5E62B4E287FD49E3F7D0FE31D653A", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "98B323422CA792F32B2EA7482D9D79B9F9D15C3830E9ED03453DF7CC38205557", "9ED959A552F1F1135D021720BFEF601A33E4FF298A735DCF0648EF0558E731A9", "B609D685D630C87BB458CB89A66B87A64831A7617912F7856869B7F1B264C40C", "B673694C2888EE95A6BAB04A5C155DEAA18A41E4DF0C4AE45D1C5C2E3FD7151D", "C240DF09D934E998A5A6E9F16EE5D00606D3852B389FD502ED34EB411645C177", "C247CDADCEBD86F6926A5A03AD862F20EC878D5E1054BCF2C6B70778E3741BB7", "D1C70BE32DEEA561F5BD20121B6CE6B04522C3B0A34D7DF273B2AA52F0E58277", "D63678498B94CE4636F5CEB8FAB7C8F6F571F578E6D0EF1B23F011C3A5778E9E", "DAFB6976639A3A0CD92E6E7C328A7D79DE7ABB5427325AE9867BF17CA6FD2D68", "DB866DC8DC23646847AE5E9E25C02B2DF2A195A414B2734DCAA102E637957BAF", "DFB4A89370117A0C76AEBA610891449C199F7498B60521F9612F1A48A7736A6B", "E51AD2501331015E7E19A3AC49A96E1AC1A7C291EEE9E468031B3BA17AE28285", "EDBB640D9C964C319A40ED15C23232FA8D49C6B495D6EF19F248B4A314B7651D", "F65F1D96E364841337F0770420AA39E180E57CF181628F15C7259D9D9A9E8BDD", "FC367D3847B3B18A075985BFC8A2A8898C7B9AFE3FE16A6F84968131CD5047B4", "FD3F7FDFA4DAAB71D175F1E137285D1F69A465922921368206BF33D36AB43D22", "FD89F92B8829CE7392B47C0ED84C6AFC3595DB7DDA24639A8AB325F2C83DE0D3"]}, {"type": "ics", "idList": ["ICSA-20-133-02", "ICSA-22-097-01"]}, {"type": "joomla", "idList": ["JOOMLA-779"]}, {"type": "kitploit", "idList": ["KITPLOIT:7323577050718865961"]}, {"type": "mageia", "idList": ["MGASA-2019-0279"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1519.NASL", "AL2_ALAS-2023-1905.NASL", "CENTOS8_RHSA-2020-4670.NASL", "CENTOS8_RHSA-2020-4847.NASL", "CENTOS_RHSA-2020-3936.NASL", "DEBIAN_DLA-1797.NASL", "DEBIAN_DLA-2118.NASL", "DEBIAN_DSA-4434.NASL", "DEBIAN_DSA-4460.NASL", "EULEROS_SA-2020-2560.NASL", "EULEROS_SA-2021-1346.NASL", "EULEROS_SA-2021-1831.NASL", "FEDORA_2019-1A3EDD7E8A.NASL", "FEDORA_2019-2A0CE0C58C.NASL", "FEDORA_2019-7EAF0BBE7C.NASL", "FEDORA_2019-A06DFFAB1C.NASL", "FEDORA_2019-EBA8E44EE6.NASL", "FEDORA_2019-F563E66380.NASL", "FREEBSD_PKG_3C5A4FE09EBB11E99169FCAA147E860E.NASL", "FREEBSD_PKG_FFC73E8787F011E9AD56FCAA147E860E.NASL", "JQUERY_3_4_0.NASL", "NESSUS_TNS-2023-09.NASL", "NEWSTART_CGSL_NS-SA-2021-0045_IPA.NASL", "NEWSTART_CGSL_NS-SA-2021-0171_IPA.NASL", "OPENSUSE-2019-1839.NASL", "ORACLELINUX_ELSA-2022-7343.NASL", "ORACLE_BI_PUBLISHER_OCT_2020_CPU.NASL", "ORACLE_BPM_CPU_OCT_2020.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_OCT_2019_CPU_UI.NASL", "ORACLE_GOLDENGATE_CPU_OCT_2021.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_JUL_2021.NASL", "ORACLE_OATS_CPU_JAN_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_OCT_2019.NASL", "ORACLE_RDBMS_CPU_APR_2021.NASL", "ORACLE_WEBCENTER_SITES_APR_2020_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2019.NASL", "PULSE_CONNECT_SECURE-SA44601.NASL", "PULSE_POLICY_SECURE-SA44601.NASL", "REDHAT-RHSA-2019-3023.NASL", "REDHAT-RHSA-2019-3024.NASL", "REDHAT-RHSA-2020-1325.NASL", "REDHAT-RHSA-2020-3936.NASL", "REDHAT-RHSA-2020-4670.NASL", "REDHAT-RHSA-2020-4847.NASL", "REDHAT-RHSA-2020-5581.NASL", "REDHAT-RHSA-2021-4142.NASL", "REDHAT-RHSA-2022-7343.NASL", "REDHAT-RHSA-2023-0552.NASL", "REDHAT-RHSA-2023-0553.NASL", "REDHAT-RHSA-2023-0554.NASL", "REDHAT-RHSA-2023-1043.NASL", "REDHAT-RHSA-2023-1044.NASL", "REDHAT-RHSA-2023-1045.NASL", "SECURITYCENTER_5_14_0_TNS_2020_02.NASL", "SL_20201001_IPA_ON_SL7_X.NASL", "SL_20221103_PCS_ON_SL7_X.NASL", "SOLARWINDS_ORION_CVE-2020-14005.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108601", "OPENVAS:1361412562310113369", "OPENVAS:1361412562310142300", "OPENVAS:1361412562310142301", "OPENVAS:1361412562310142314", "OPENVAS:1361412562310142508", "OPENVAS:1361412562310142509", "OPENVAS:1361412562310704434", "OPENVAS:1361412562310704460", "OPENVAS:1361412562310852959", "OPENVAS:1361412562310876319", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310876325", "OPENVAS:1361412562310876327", "OPENVAS:1361412562310876331", "OPENVAS:1361412562310876342", "OPENVAS:1361412562310876410", "OPENVAS:1361412562310876414", "OPENVAS:1361412562310876417", "OPENVAS:1361412562310877098", "OPENVAS:1361412562310891777", "OPENVAS:1361412562310891797", "OPENVAS:1361412562310892118"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3936", "ELSA-2020-4670", "ELSA-2020-4847", "ELSA-2022-7343"]}, {"type": "osv", "idList": ["OSV:DLA-1797-1", "OSV:DLA-2118-1", "OSV:DSA-4434-1", "OSV:DSA-4460-1", "OSV:GHSA-6C3J-C64M-QHGQ"]}, {"type": "redhat", "idList": ["RHSA-2019:1456", "RHSA-2019:2587", "RHSA-2019:3023", "RHSA-2019:3024", "RHSA-2020:1325", "RHSA-2020:2412", "RHSA-2020:3936", "RHSA-2020:4298", "RHSA-2020:4670", "RHSA-2020:4847", "RHSA-2020:5581", "RHSA-2021:4142", "RHSA-2022:7343", "RHSA-2023:0552", "RHSA-2023:0553", "RHSA-2023:0554", "RHSA-2023:0556", "RHSA-2023:1043", "RHSA-2023:1044", "RHSA-2023:1045", "RHSA-2023:1047", "RHSA-2023:1049"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-11358"]}, {"type": "rocky", "idList": ["RLSA-2020:4670", "RLSA-2020:4847", "RLSA-2021:4142"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1839-1", "OPENSUSE-SU-2019:1872-1"]}, {"type": "symantec", "idList": ["SMNTC-108023"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2019-004"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-11358"]}, {"type": "veracode", "idList": ["VERACODE:13659"]}]}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:5C46E63B-643E-4656-B654-4FBA061ECF66"]}], "wildExploited": true}, "score": {"value": 1.6, "vector": "NONE"}, "twitter": {"counter": 6, "tweets": [{"link": "https://twitter.com/CswWorks/status/1424291792720220162", "text": "Oracle patches: CISA had issued warning alerts to 16 vulnerabilities. \n\n9 CVEs have known exploits.\n\nCVE-2019-11358 is associated with Maze ransomware, APT1, and 9 malware threats.\n\nRead full analysis - https://t.co/HMgWGQI4IC?amp=1\n/hashtag/SecurityDebt?src=hashtag_click /hashtag/VulnerabilityManagement?src=hashtag_click /hashtag/Patches?src=hashtag_click"}, {"link": "https://twitter.com/management_sun/status/1419519941519175682", "text": "IT Risk:https://t.co/gc9mfEgw4V?amp=1 QRadar SIEM\u306b\u8907\u6570\u306e\u8106\u5f31\u6027\nCVE-2021-28657 CVE-2020-13956 CVE-2020-13954 CVE-2020-11987 CVE-2020-11023 CVE-2020-11022 CVE-2020-8908 CVE-2019-11358 CVE-2015-9251 \nhttps://t.co/SsCpBwNlDO?amp=1\nhttps://t.co/lEQSbbw9mu?amp=1"}, {"link": "https://twitter.com/Nick_nick310/status/1404574624051089411", "text": "prototype pollution\u306e\u826f\u3044\u52c9\u5f37\u306b\u306a\u308a\u307e\u3057\u305f\u3002\n\njquery\u306e\u8106\u5f31\u6027 CVE-2019-11358(prototype pollution) \u52d5\u4f5c\u78ba\u8a8d\u3068\u4fee\u6b63\u7b87\u6240\u78ba\u8a8d"}, {"link": "https://twitter.com/management_sun/status/1419520021777174531", "text": "IT Risk: Multiple vulnerabilities in https://t.co/gc9mfEgw4V?amp=1 QRadar SIEM\nCVE-2021-28657 CVE-2020-13956 CVE-2020-13954 CVE-2020-11987 CVE-2020-11023 CVE-2020-11022 CVE-2020-8908 CVE-2019-11358 CVE-2015-9251 \nhttps://t.co/SsCpBwNlDO?amp=1\nhttps://t.co/lEQSbbw9mu?amp=1"}, {"link": "https://twitter.com/buaqbot/status/1525015415138680832", "text": "CVE-2019-11358\u5206\u6790\nhttps://t.co/JIHTocx9cx\nhttps://t.co/VHmqRetUcY", "author": "buaqbot", "author_photo": "https://pbs.twimg.com/profile_images/1422514037154226177/7ViYgn37_400x400.png"}]}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:4670"]}, {"type": "amazon", "idList": ["ALAS2-2020-1519"]}, {"type": "archlinux", "idList": ["ASA-201906-2"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BSERV-11753"]}, {"type": "attackerkb", "idList": ["AKB:5C46E63B-643E-4656-B654-4FBA061ECF66"]}, {"type": "centos", "idList": ["CESA-2020:3936"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0561"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1777-1:55799", "DEBIAN:DLA-1797-1:1A7B8", "DEBIAN:DSA-4434-1:D2F07", "DEBIAN:DSA-4460-1:50632"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-11358"]}, {"type": "f5", "idList": ["F5:K20455158"]}, {"type": "fedora", "idList": ["FEDORA:10ED96049C48", "FEDORA:11C9F606DF50", "FEDORA:320386075B54", "FEDORA:3F234602D69C", "FEDORA:438D16045644", "FEDORA:4A1276046F94"]}, {"type": "freebsd", "idList": ["FFC73E87-87F0-11E9-AD56-FCAA147E860E"]}, {"type": "github", "idList": ["GHSA-6C3J-C64M-QHGQ"]}, {"type": "githubexploit", "idList": ["2B8C7714-D2D7-50C4-BEB8-B616BD51A554", "B38C8387-765B-587E-BBED-9336E586B3E2", "C0148A2C-75C9-5375-AE2F-DBEDCCD0999F", "C7E2EC97-A49D-5063-BC43-995A0E058FCF", "E83D6606-6F89-5700-B703-B87CF90D6565"]}, {"type": "ibm", "idList": ["98B323422CA792F32B2EA7482D9D79B9F9D15C3830E9ED03453DF7CC38205557", "FC367D3847B3B18A075985BFC8A2A8898C7B9AFE3FE16A6F84968131CD5047B4"]}, {"type": "ics", "idList": ["ICSA-20-133-02"]}, {"type": "joomla", "idList": ["JOOMLA-779"]}, {"type": "kitploit", "idList": ["KITPLOIT:7323577050718865961"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1797.NASL", "DEBIAN_DSA-4434.NASL", "DEBIAN_DSA-4460.NASL", "FEDORA_2019-1A3EDD7E8A.NASL", "FEDORA_2019-2A0CE0C58C.NASL", "FEDORA_2019-7EAF0BBE7C.NASL", "FEDORA_2019-A06DFFAB1C.NASL", "FEDORA_2019-EBA8E44EE6.NASL", "FEDORA_2019-F563E66380.NASL", "FREEBSD_PKG_3C5A4FE09EBB11E99169FCAA147E860E.NASL", "FREEBSD_PKG_FFC73E8787F011E9AD56FCAA147E860E.NASL", "JQUERY_3_4_0.NASL", "ORACLE_BI_PUBLISHER_OCT_2020_CPU.NASL", "ORACLE_BPM_CPU_OCT_2020.NASL", "REDHAT-RHSA-2020-4670.NASL", "REDHAT-RHSA-2020-4847.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108601", "OPENVAS:1361412562310142314", "OPENVAS:1361412562310704434", "OPENVAS:1361412562310704460", "OPENVAS:1361412562310876319", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310876325", "OPENVAS:1361412562310876327", "OPENVAS:1361412562310876414", "OPENVAS:1361412562310891777", "OPENVAS:1361412562310891797"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3936", "ELSA-2020-4670"]}, {"type": "redhat", "idList": ["RHSA-2020:4670"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1839-1", "OPENSUSE-SU-2019:1872-1"]}, {"type": "symantec", "idList": ["SMNTC-108023"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-11358"]}]}, "epss": [{"cve": "CVE-2019-11358", "epss": 0.01863, "percentile": 0.86592, "modified": "2023-05-06"}], "vulnersScore": 1.6}, "_state": {"wildexploited": 0, "dependencies": 1694125922, "score": 1694126688, "twitter": 0, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "6eb8a9b58af9f28a8bb845f2300fa557"}, "cna_cvss": {"cna": "mitre", "cvss": {}}, "cpe": ["cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0", "cpe:/a:oracle:communications_session_report_manager:8.2.0", "cpe:/a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8", "cpe:/a:oracle:policy_automation_for_mobile_devices:12.2.15", "cpe:/a:oracle:application_testing_suite:12.5.0.3", "cpe:/a:oracle:hospitality_guest_access:4.2.1", "cpe:/a:oracle:healthcare_foundation:7.3.0", "cpe:/a:oracle:retail_central_office:14.0", "cpe:/a:oracle:utilities_mobile_workforce_management:2.3.0.3", "cpe:/a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0", "cpe:/a:oracle:communications_services_gatekeeper:7.0", "cpe:/a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.5", "cpe:/a:oracle:financial_services_asset_liability_management:8.1.0", "cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2", "cpe:/a:oracle:insurance_accounting_analyzer:8.0.9", "cpe:/a:oracle:hospitality_guest_access:4.2.0", "cpe:/a:oracle:financial_services_institutional_performance_analytics:8.1.0", "cpe:/a:oracle:financial_services_price_creation_and_discovery:8.0.7", "cpe:/o:fedoraproject:fedora:30", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.7", "cpe:/a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0", "cpe:/a:oracle:banking_digital_experience:19.2", "cpe:/a:oracle:healthcare_translational_research:3.4.0", "cpe:/a:oracle:policy_automation_connector_for_siebel:10.4.6", "cpe:/a:oracle:banking_digital_experience:18.2", "cpe:/a:oracle:storagetek_tape_analytics_sw_tool:2.3.0", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:oracle:financial_services_data_integration_hub:8.1.0", "cpe:/a:joomla:joomla\\!:3.9.4", "cpe:/a:oracle:healthcare_foundation:7.2.2", "cpe:/a:oracle:insurance_ifrs_17_analyzer:8.0.6", "cpe:/a:oracle:retail_point-of-service:14.1", "cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:retail_customer_insights:15.0", "cpe:/a:oracle:real-time_scheduler:2.3.0.3", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0", "cpe:/o:fedoraproject:fedora:29", "cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:18.0", "cpe:/a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7", "cpe:/a:oracle:retail_point-of-service:14.0", "cpe:/a:oracle:fusion_middleware_mapviewer:12.2.1.3.0", "cpe:/a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0", "cpe:/a:oracle:application_service_level_management:13.2.0.0", "cpe:/a:oracle:communications_unified_inventory_management:7.4.0", "cpe:/a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4", "cpe:/a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7", "cpe:/a:oracle:identity_manager:12.2.1.3.0", "cpe:/a:oracle:primavera_unifier:18.8", "cpe:/a:oracle:hospitality_simphony:18.1", "cpe:/a:redhat:cloudforms:4.7", "cpe:/a:oracle:siebel_mobile_applications:19.8", "cpe:/a:oracle:enterprise_manager_ops_center:12.4.0", "cpe:/a:oracle:healthcare_translational_research:3.3.1", "cpe:/a:oracle:communications_webrtc_session_controller:7.2", "cpe:/a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7", "cpe:/a:oracle:business_process_management_suite:12.2.1.3.0", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0", "cpe:/a:oracle:communications_analytics:12.1.1", "cpe:/a:oracle:retail_customer_insights:16.0", "cpe:/a:oracle:communications_unified_inventory_management:7.3", "cpe:/a:oracle:policy_automation:12.1.1", "cpe:/a:oracle:healthcare_foundation:7.1.1", "cpe:/a:oracle:retail_returns_management:14.1", "cpe:/a:oracle:healthcare_translational_research:3.1.0", "cpe:/a:oracle:primavera_unifier:17.12", "cpe:/o:fedoraproject:fedora:28", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0", "cpe:/a:oracle:communications_interactive_session_recorder:6.4", "cpe:/a:oracle:jdeveloper:12.2.1.4.0", "cpe:/a:oracle:weblogic_server:12.2.1.4.0", "cpe:/a:oracle:primavera_unifier:16.1", "cpe:/a:oracle:communications_operations_monitor:4.0", "cpe:/a:oracle:banking_digital_experience:18.3", "cpe:/a:oracle:policy_automation:12.1.0", "cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.6", "cpe:/a:oracle:service_bus:12.1.3.0.0", "cpe:/a:oracle:financial_services_funds_transfer_pricing:8.0.7", "cpe:/a:oracle:insurance_performance_insight:8.0.7", "cpe:/a:oracle:communications_billing_and_revenue_management:7.5.0.23.0", "cpe:/a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8", "cpe:/a:oracle:jdeveloper_and_adf:12.2.1.3.0", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.2", "cpe:/a:oracle:bi_publisher:12.2.1.3.0", "cpe:/a:oracle:banking_digital_experience:19.1", "cpe:/a:oracle:application_service_level_management:13.3.0.0", "cpe:/a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7", "cpe:/a:oracle:webcenter_sites:12.2.1.3.0", "cpe:/a:oracle:hospitality_simphony:19.1.2", "cpe:/a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0", "cpe:/a:oracle:healthcare_translational_research:3.3.2", "cpe:/a:oracle:primavera_gateway:18.8.9", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.6.0.0", "cpe:/a:oracle:primavera_gateway:15.2.18", "cpe:/a:netapp:oncommand_system_manager:3.1.3", "cpe:/a:oracle:application_testing_suite:13.3.0.1", "cpe:/a:oracle:communications_element_manager:8.2.1", "cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0", "cpe:/a:oracle:communications_application_session_controller:3.8m0", "cpe:/a:oracle:communications_session_route_manager:8.2.1", "cpe:/a:oracle:primavera_unifier:16.2", "cpe:/a:oracle:jdeveloper_and_adf:12.1.3.0.0", "cpe:/a:oracle:siebel_ui_framework:20.8", "cpe:/a:oracle:financial_services_retail_customer_analytics:8.0.6", "cpe:/a:oracle:financial_services_profitability_management:8.0.7", "cpe:/a:oracle:financial_services_data_foundation:8.0.8", "cpe:/a:oracle:retail_back_office:14.0", "cpe:/a:oracle:retail_back_office:14.1", "cpe:/a:oracle:banking_digital_experience:18.1", "cpe:/a:oracle:weblogic_server:14.1.1.0.0", "cpe:/a:oracle:policy_automation:10.4.7", "cpe:/a:oracle:enterprise_session_border_controller:8.4", "cpe:/a:oracle:banking_digital_experience:20.1", "cpe:/a:oracle:healthcare_translational_research:3.2.1", "cpe:/a:oracle:financial_services_revenue_management_and_billing:2.4.0.1", "cpe:/a:oracle:weblogic_server:12.2.1.3.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.2.1", "cpe:/a:oracle:bi_publisher:12.2.1.4.0", "cpe:/a:oracle:banking_enterprise_collections:2.8.0", "cpe:/a:oracle:primavera_gateway:19.12.4", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:7.3.5", "cpe:/a:oracle:retail_returns_management:14.0", "cpe:/a:oracle:rest_data_services:18c", "cpe:/a:oracle:transportation_management:1.4.3", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.8", "cpe:/a:oracle:rest_data_services:12.2.0.1", "cpe:/a:netapp:snapcenter:-", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0", "cpe:/a:oracle:system_utilities:19.1", "cpe:/a:oracle:communications_session_report_manager:8.2.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56", "cpe:/a:oracle:retail_central_office:14.1", "cpe:/a:oracle:hospitality_simphony:18.2", "cpe:/a:oracle:financial_services_retail_performance_analytics:8.0.7", "cpe:/a:oracle:bi_publisher:5.5.0.0.0", "cpe:/a:oracle:communications_session_report_manager:8.1.1", "cpe:/o:juniper:junos:21.2", "cpe:/a:oracle:financial_services_analytical_applications_reconciliation_framework:8.0.7", "cpe:/a:oracle:financial_services_asset_liability_management:8.0.7", "cpe:/a:oracle:enterprise_manager_ops_center:12.3.3", "cpe:/a:oracle:financial_services_revenue_management_and_billing:2.4.0.0", "cpe:/a:oracle:application_testing_suite:13.2.0.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.55", "cpe:/a:oracle:hospitality_materials_control:18.1", "cpe:/a:oracle:financial_services_funds_transfer_pricing:8.1.0", "cpe:/a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6", "cpe:/a:oracle:service_bus:11.1.1.9.0", "cpe:/a:oracle:financial_services_balance_sheet_planning:8.0.8", "cpe:/a:oracle:healthcare_foundation:7.2.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:opensuse:leap:15.1", "cpe:/a:oracle:communications_element_manager:8.1.1", "cpe:/a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0", "cpe:/a:oracle:communications_session_route_manager:8.2.0", "cpe:/a:oracle:communications_session_route_manager:8.1.1", "cpe:/a:oracle:primavera_gateway:16.2.11", "cpe:/a:oracle:jdeveloper:11.1.1.9.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.1", "cpe:/a:oracle:tape_library_acsls:8.5", "cpe:/a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58", "cpe:/a:oracle:communications_diameter_signaling_router:8.2", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.6", "cpe:/a:oracle:rest_data_services:12.1.0.2", "cpe:/a:oracle:jdeveloper:12.2.1.3.0", "cpe:/a:oracle:big_data_discovery:1.6", "cpe:/a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.7", "cpe:/a:oracle:rest_data_services:11.2.0.4", "cpe:/a:oracle:communications_billing_and_revenue_management:7.5", "cpe:/a:oracle:business_process_management_suite:12.2.1.4.0", "cpe:/a:oracle:insurance_data_foundation:8.0.7", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.1", "cpe:/a:oracle:communications_operations_monitor:3.4", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.1.0", "cpe:/a:oracle:application_testing_suite:13.2", "cpe:/a:oracle:financial_services_data_governance_for_us_regulatory_reporting:8.0.9", "cpe:/a:oracle:tape_library_acsls:8.5.1", "cpe:/a:oracle:communications_operations_monitor:4.3", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:jdeveloper_and_adf:11.1.1.9.0", "cpe:/a:oracle:financial_services_profitability_management:8.1.0", "cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:19.0", "cpe:/a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6", "cpe:/a:oracle:application_testing_suite:13.3", "cpe:/a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:8.0.7", "cpe:/a:oracle:financial_services_retail_performance_analytics:8.0.6", "cpe:/a:redhat:virtualization_manager:4.3", "cpe:/a:oracle:financial_services_institutional_performance_analytics:8.0.7", "cpe:/a:oracle:communications_billing_and_revenue_management:12.0", "cpe:/a:oracle:rest_data_services:19c", "cpe:/a:oracle:service_bus:12.2.1.3.0", "cpe:/a:opensuse:backports_sle:15.0", "cpe:/a:oracle:knowledge:8.6.3", "cpe:/a:oracle:policy_automation:12.2.15", "cpe:/a:oracle:application_testing_suite:13.1.0.1", "cpe:/a:oracle:communications_element_manager:8.2.0", "cpe:/a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.0.0", "cpe:/a:oracle:banking_platform:2.10.0", "cpe:/a:oracle:communications_operations_monitor:4.1.0", "cpe:/a:oracle:diagnostic_assistant:2.12.36", "cpe:/a:oracle:primavera_gateway:17.12.7", "cpe:/a:oracle:insurance_ifrs_17_analyzer:8.0.7", "cpe:/a:oracle:communications_eagle_application_processor:16.4.0"], "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:real-time_scheduler:2.3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:knowledge:8.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_foundation:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_eagle_application_processor:16.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:siebel_mobile_applications:19.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:18.8.9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_collections:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:17.12.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:8.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:12.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_simphony:19.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:19.12.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:insurance_data_foundation:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:16.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*"], "cwe": ["CWE-1321"], "affectedSoftware": [{"cpeName": "jquery:jquery", "version": "3.4.0", "operator": "lt", "name": "jquery"}, {"cpeName": "debian:debian_linux", "version": "8.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "debian:debian_linux", "version": "9.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "drupal:drupal", "version": "7.66", "operator": "lt", "name": "drupal"}, {"cpeName": "drupal:drupal", "version": "8.5.15", "operator": "lt", "name": "drupal"}, {"cpeName": "drupal:drupal", "version": "8.6.15", "operator": "lt", "name": "drupal"}, {"cpeName": "backdropcms:backdrop", "version": "1.11.9", "operator": "lt", "name": "backdropcms backdrop"}, {"cpeName": "backdropcms:backdrop", "version": "1.12.6", "operator": "lt", "name": "backdropcms backdrop"}, {"cpeName": "fedoraproject:fedora", "version": "28", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "fedoraproject:fedora", "version": "29", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "fedoraproject:fedora", "version": "30", "operator": "eq", "name": "fedoraproject fedora"}, {"cpeName": "opensuse:leap", "version": "15.1", "operator": "eq", "name": "opensuse leap"}, {"cpeName": "opensuse:backports_sle", "version": "15.0", "operator": "eq", "name": "opensuse backports sle"}, {"cpeName": "netapp:snapcenter", "version": "-", "operator": "eq", "name": "netapp snapcenter"}, {"cpeName": "netapp:oncommand_system_manager", "version": "3.1.3", "operator": "le", "name": "netapp oncommand system manager"}, {"cpeName": "redhat:cloudforms", "version": "4.7", "operator": "eq", "name": "redhat cloudforms"}, {"cpeName": "redhat:virtualization_manager", "version": "4.3", "operator": "eq", "name": "redhat virtualization manager"}, {"cpeName": "oracle:service_bus", "version": "12.1.3.0.0", "operator": "eq", "name": "oracle service bus"}, {"cpeName": "oracle:primavera_unifier", "version": "16.2", "operator": "eq", "name": "oracle primavera unifier"}, {"cpeName": "oracle:jd_edwards_enterpriseone_tools", "version": "9.2", "operator": "eq", "name": "oracle jd edwards enterpriseone tools"}, {"cpeName": "oracle:weblogic_server", "version": "12.1.3.0.0", "operator": "eq", "name": "oracle weblogic server"}, {"cpeName": "oracle:service_bus", "version": "11.1.1.9.0", "operator": "eq", "name": "oracle service bus"}, {"cpeName": "oracle:jdeveloper", "version": "11.1.1.9.0", "operator": "eq", "name": "oracle jdeveloper"}, {"cpeName": "oracle:primavera_unifier", "version": "16.1", "operator": "eq", "name": "oracle primavera unifier"}, {"cpeName": "oracle:application_testing_suite", "version": "12.5.0.3", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:peoplesoft_enterprise_peopletools", "version": "8.55", "operator": "eq", "name": "oracle peoplesoft enterprise peopletools"}, {"cpeName": "oracle:retail_back_office", "version": "14.1", "operator": "eq", "name": "oracle retail back office"}, {"cpeName": "oracle:retail_back_office", "version": "14.0", "operator": "eq", "name": "oracle retail back office"}, {"cpeName": "oracle:peoplesoft_enterprise_peopletools", "version": "8.56", "operator": "eq", "name": "oracle peoplesoft enterprise peopletools"}, {"cpeName": "oracle:hospitality_guest_access", "version": "4.2.0", "operator": "eq", "name": "oracle hospitality guest access"}, {"cpeName": "oracle:hospitality_guest_access", "version": "4.2.1", "operator": "eq", "name": "oracle hospitality guest access"}, {"cpeName": "oracle:weblogic_server", "version": "10.3.6.0.0", "operator": "eq", "name": "oracle weblogic server"}, {"cpeName": "oracle:communications_webrtc_session_controller", "version": "7.2", "operator": "eq", "name": "oracle communications webrtc session controller"}, {"cpeName": "oracle:weblogic_server", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle weblogic server"}, {"cpeName": "oracle:financial_services_market_risk_measurement_and_management", "version": "8.0.5", "operator": "eq", "name": "oracle financial services market risk measurement and management"}, {"cpeName": "oracle:financial_services_liquidity_risk_management", "version": "8.0.5.0.0", "operator": "eq", "name": "oracle financial services liquidity risk management"}, {"cpeName": "oracle:financial_services_liquidity_risk_management", "version": "8.0.4.0.0", "operator": "eq", "name": "oracle financial services liquidity risk management"}, {"cpeName": "oracle:financial_services_liquidity_risk_management", "version": "8.0.0.1.0", "operator": "eq", "name": "oracle financial services liquidity risk management"}, {"cpeName": "oracle:communications_unified_inventory_management", "version": "7.3", "operator": "eq", "name": "oracle communications unified inventory management"}, {"cpeName": "oracle:enterprise_manager_ops_center", "version": "12.3.3", "operator": "eq", "name": "oracle enterprise manager ops center"}, {"cpeName": "oracle:agile_product_lifecycle_management_for_process", "version": "6.2.0.0", "operator": "eq", "name": "oracle agile product lifecycle management for process"}, {"cpeName": "oracle:agile_product_lifecycle_management_for_process", "version": "6.2.1.0", "operator": "eq", "name": "oracle agile product lifecycle management for process"}, {"cpeName": "oracle:webcenter_sites", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle webcenter sites"}, {"cpeName": "oracle:business_process_management_suite", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle business process management suite"}, {"cpeName": "oracle:fusion_middleware_mapviewer", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle fusion middleware mapviewer"}, {"cpeName": "oracle:peoplesoft_enterprise_peopletools", "version": "8.57", "operator": "eq", "name": "oracle peoplesoft enterprise peopletools"}, {"cpeName": "oracle:identity_manager", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle identity manager"}, {"cpeName": "oracle:application_testing_suite", "version": "13.1.0.1", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:application_testing_suite", "version": "13.2.0.1", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:application_testing_suite", "version": "13.3.0.1", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:retail_customer_insights", "version": "15.0", "operator": "eq", "name": "oracle retail customer insights"}, {"cpeName": "oracle:retail_customer_insights", "version": "16.0", "operator": "eq", "name": "oracle retail customer insights"}, {"cpeName": "oracle:retail_returns_management", "version": "14.0", "operator": "eq", "name": "oracle retail returns management"}, {"cpeName": "oracle:retail_returns_management", "version": "14.1", "operator": "eq", "name": "oracle retail returns management"}, {"cpeName": "oracle:retail_central_office", "version": "14.0", "operator": "eq", "name": "oracle retail central office"}, {"cpeName": "oracle:retail_central_office", "version": "14.1", "operator": "eq", "name": "oracle retail central office"}, {"cpeName": "oracle:communications_billing_and_revenue_management", "version": "7.5", "operator": "eq", "name": "oracle communications billing and revenue management"}, {"cpeName": "oracle:communications_billing_and_revenue_management", "version": "12.0", "operator": "eq", "name": "oracle communications billing and revenue management"}, {"cpeName": "oracle:primavera_unifier", "version": "18.8", "operator": "eq", "name": "oracle primavera unifier"}, {"cpeName": "oracle:retail_customer_management_and_segmentation_foundation", "version": "18.0", "operator": "eq", "name": "oracle retail customer management and segmentation foundation"}, {"cpeName": "oracle:jdeveloper", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle jdeveloper"}, {"cpeName": "oracle:bi_publisher", "version": "12.2.1.4.0", "operator": "eq", "name": "oracle bi publisher"}, {"cpeName": "oracle:bi_publisher", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle bi publisher"}, {"cpeName": "oracle:retail_point-of-service", "version": "14.1", "operator": "eq", "name": "oracle retail point-of-service"}, {"cpeName": "oracle:retail_point-of-service", "version": "14.0", "operator": "eq", "name": "oracle retail point-of-service"}, {"cpeName": "oracle:policy_automation_connector_for_siebel", "version": "10.4.6", "operator": "eq", "name": "oracle policy automation connector for siebel"}, {"cpeName": "oracle:policy_automation", "version": "10.4.7", "operator": "eq", "name": "oracle policy automation"}, {"cpeName": "oracle:policy_automation", "version": "12.1.0", "operator": "eq", "name": "oracle policy automation"}, {"cpeName": "oracle:policy_automation", "version": "12.1.1", "operator": "eq", "name": "oracle policy automation"}, {"cpeName": "oracle:communications_operations_monitor", "version": "3.4", "operator": "eq", "name": "oracle communications operations monitor"}, {"cpeName": "oracle:communications_operations_monitor", "version": "4.0", "operator": "eq", "name": "oracle communications operations monitor"}, {"cpeName": "oracle:service_bus", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle service bus"}, {"cpeName": "oracle:primavera_unifier", "version": "17.12", "operator": "le", "name": "oracle primavera unifier"}, {"cpeName": "oracle:agile_product_lifecycle_management_for_process", "version": "6.2.2.0", "operator": "eq", "name": "oracle agile product lifecycle management for process"}, {"cpeName": "oracle:agile_product_lifecycle_management_for_process", "version": "6.2.3.0", "operator": "eq", "name": "oracle agile product lifecycle management for process"}, {"cpeName": "oracle:financial_services_market_risk_measurement_and_management", "version": "8.0.6", "operator": "eq", "name": "oracle financial services market risk measurement and management"}, {"cpeName": "oracle:financial_services_loan_loss_forecasting_and_provisioning", "version": "8.0.7", "operator": "le", "name": "oracle financial services loan loss forecasting and provisioning"}, {"cpeName": "oracle:financial_services_hedge_management_and_ifrs_valuations", "version": "8.0.7", "operator": "le", "name": "oracle financial services hedge management and ifrs valuations"}, {"cpeName": "oracle:financial_services_funds_transfer_pricing", "version": "8.0.7", "operator": "le", "name": "oracle financial services funds transfer pricing"}, {"cpeName": "oracle:financial_services_data_integration_hub", "version": "8.0.7", "operator": "le", "name": "oracle financial services data integration hub"}, {"cpeName": "oracle:financial_services_asset_liability_management", "version": "8.0.7", "operator": "le", "name": "oracle financial services asset liability management"}, {"cpeName": "oracle:financial_services_analytical_applications_infrastructure", "version": "7.3.5", "operator": "le", "name": "oracle financial services analytical applications infrastructure"}, {"cpeName": "oracle:hospitality_materials_control", "version": "18.1", "operator": "eq", "name": "oracle hospitality materials control"}, {"cpeName": "oracle:healthcare_translational_research", "version": "3.1.0", "operator": "eq", "name": "oracle healthcare translational research"}, {"cpeName": "oracle:communications_unified_inventory_management", "version": "7.4.0", "operator": "eq", "name": "oracle communications unified inventory management"}, {"cpeName": "oracle:enterprise_manager_ops_center", "version": "12.4.0", "operator": "eq", "name": "oracle enterprise manager ops center"}, {"cpeName": "oracle:application_testing_suite", "version": "13.3", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:banking_digital_experience", "version": "18.2", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:banking_digital_experience", "version": "18.3", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:banking_digital_experience", "version": "19.1", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:banking_digital_experience", "version": "18.1", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:weblogic_server", "version": "12.2.1.4.0", "operator": "eq", "name": "oracle weblogic server"}, {"cpeName": "oracle:knowledge", "version": "8.6.3", "operator": "le", "name": "oracle knowledge"}, {"cpeName": "oracle:peoplesoft_enterprise_peopletools", "version": "8.58", "operator": "eq", "name": "oracle peoplesoft enterprise peopletools"}, {"cpeName": "oracle:financial_services_liquidity_risk_management", "version": "8.0.6", "operator": "eq", "name": "oracle financial services liquidity risk management"}, {"cpeName": "oracle:financial_services_liquidity_risk_measurement_and_management", "version": "8.0.8", "operator": "eq", "name": "oracle financial services liquidity risk measurement and management"}, {"cpeName": "oracle:financial_services_liquidity_risk_measurement_and_management", "version": "8.0.7", "operator": "eq", "name": "oracle financial services liquidity risk measurement and management"}, {"cpeName": "oracle:financial_services_balance_sheet_planning", "version": "8.0.8", "operator": "eq", "name": "oracle financial services balance sheet planning"}, {"cpeName": "oracle:application_express", "version": "19.1", "operator": "lt", "name": "oracle application express"}, {"cpeName": "oracle:weblogic_server", "version": "14.1.1.0.0", "operator": "eq", "name": "oracle weblogic server"}, {"cpeName": "oracle:communications_element_manager", "version": "8.2.0", "operator": "eq", "name": "oracle communications element manager"}, {"cpeName": "oracle:communications_element_manager", "version": "8.2.1", "operator": "eq", "name": "oracle communications element manager"}, {"cpeName": "oracle:communications_element_manager", "version": "8.1.1", "operator": "eq", "name": "oracle communications element manager"}, {"cpeName": "oracle:rest_data_services", "version": "12.2.0.1", "operator": "eq", "name": "oracle rest data services"}, {"cpeName": "oracle:rest_data_services", "version": "12.1.0.2", "operator": "eq", "name": "oracle rest data services"}, {"cpeName": "oracle:rest_data_services", "version": "11.2.0.4", "operator": "eq", "name": "oracle rest data services"}, {"cpeName": "oracle:rest_data_services", "version": "18c", "operator": "eq", "name": "oracle rest data services"}, {"cpeName": "oracle:rest_data_services", "version": "19c", "operator": "eq", "name": "oracle rest data services"}, {"cpeName": "oracle:retail_customer_management_and_segmentation_foundation", "version": "19.0", "operator": "eq", "name": "oracle retail customer management and segmentation foundation"}, {"cpeName": "oracle:healthcare_foundation", "version": "7.2.0", "operator": "eq", "name": "oracle healthcare foundation"}, {"cpeName": "oracle:healthcare_foundation", "version": "7.3.0", "operator": "eq", "name": "oracle healthcare foundation"}, {"cpeName": "oracle:healthcare_foundation", "version": "7.1.1", "operator": "eq", "name": "oracle healthcare foundation"}, {"cpeName": "oracle:communications_billing_and_revenue_management", "version": "12.0.0.3.0", "operator": "eq", "name": "oracle communications billing and revenue management"}, {"cpeName": "oracle:communications_billing_and_revenue_management", "version": "7.5.0.23.0", "operator": "eq", "name": "oracle communications billing and revenue management"}, {"cpeName": "oracle:financial_services_data_governance_for_us_regulatory_reporting", "version": "8.0.9", "operator": "le", "name": "oracle financial services data governance for us regulatory reporting"}, {"cpeName": "oracle:hospitality_simphony", "version": "19.1.2", "operator": "le", "name": "oracle hospitality simphony"}, {"cpeName": "oracle:banking_digital_experience", "version": "19.2", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:financial_services_profitability_management", "version": "8.1.0", "operator": "eq", "name": "oracle financial services profitability management"}, {"cpeName": "oracle:banking_digital_experience", "version": "20.1", "operator": "eq", "name": "oracle banking digital experience"}, {"cpeName": "oracle:financial_services_loan_loss_forecasting_and_provisioning", "version": "8.1.0", "operator": "eq", "name": "oracle financial services loan loss forecasting and provisioning"}, {"cpeName": "oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach", "version": "8.1.0", "operator": "eq", "name": "oracle financial services basel regulatory capital internal ratings based approach"}, {"cpeName": "oracle:siebel_ui_framework", "version": "20.8", "operator": "eq", "name": "oracle siebel ui framework"}, {"cpeName": "oracle:communications_application_session_controller", "version": "3.8m0", "operator": "eq", "name": "oracle communications application session controller"}, {"cpeName": "oracle:financial_services_institutional_performance_analytics", "version": "8.1.0", "operator": "eq", "name": "oracle financial services institutional performance analytics"}, {"cpeName": "oracle:insurance_insbridge_rating_and_underwriting", "version": "5.6.0.0", "operator": "le", "name": "oracle insurance insbridge rating and underwriting"}, {"cpeName": "oracle:financial_services_liquidity_risk_measurement_and_management", "version": "8.1.0", "operator": "eq", "name": "oracle financial services liquidity risk measurement and management"}, {"cpeName": "oracle:financial_services_basel_regulatory_capital_basic", "version": "8.1.0", "operator": "eq", "name": "oracle financial services basel regulatory capital basic"}, {"cpeName": "oracle:insurance_allocation_manager_for_enterprise_profitability", "version": "8.0.8", "operator": "eq", "name": "oracle insurance allocation manager for enterprise profitability"}, {"cpeName": "oracle:insurance_insbridge_rating_and_underwriting", "version": "5.6.1.0", "operator": "eq", "name": "oracle insurance insbridge rating and underwriting"}, {"cpeName": "oracle:hospitality_simphony", "version": "18.1", "operator": "eq", "name": "oracle hospitality simphony"}, {"cpeName": "oracle:financial_services_data_integration_hub", "version": "8.1.0", "operator": "eq", "name": "oracle financial services data integration hub"}, {"cpeName": "oracle:insurance_accounting_analyzer", "version": "8.0.9", "operator": "eq", "name": "oracle insurance accounting analyzer"}, {"cpeName": "oracle:financial_services_hedge_management_and_ifrs_valuations", "version": "8.1.0", "operator": "eq", "name": "oracle financial services hedge management and ifrs valuations"}, {"cpeName": "oracle:financial_services_analytical_applications_reconciliation_framework", "version": "8.1.0", "operator": "eq", "name": "oracle financial services analytical applications reconciliation framework"}, {"cpeName": "oracle:insurance_allocation_manager_for_enterprise_profitability", "version": "8.1.0", "operator": "eq", "name": "oracle insurance allocation manager for enterprise profitability"}, {"cpeName": "oracle:hospitality_simphony", "version": "18.2", "operator": "eq", "name": "oracle hospitality simphony"}, {"cpeName": "oracle:financial_services_asset_liability_management", "version": "8.1.0", "operator": "eq", "name": "oracle financial services asset liability management"}, {"cpeName": "oracle:enterprise_manager_ops_center", "version": "12.4.0.0", "operator": "eq", "name": "oracle enterprise manager ops center"}, {"cpeName": "oracle:enterprise_session_border_controller", "version": "8.4", "operator": "eq", "name": "oracle enterprise session border controller"}, {"cpeName": "oracle:financial_services_market_risk_measurement_and_management", "version": "8.0.8", "operator": "eq", "name": "oracle financial services market risk measurement and management"}, {"cpeName": "oracle:jdeveloper", "version": "12.2.1.4.0", "operator": "eq", "name": "oracle jdeveloper"}, {"cpeName": "oracle:financial_services_funds_transfer_pricing", "version": "8.1.0", "operator": "eq", "name": "oracle financial services funds transfer pricing"}, {"cpeName": "oracle:communications_services_gatekeeper", "version": "7.0", "operator": "eq", "name": "oracle communications services gatekeeper"}, {"cpeName": "oracle:communications_session_report_manager", "version": "8.1.1", "operator": "eq", "name": "oracle communications session report manager"}, {"cpeName": "oracle:communications_session_report_manager", "version": "8.2.0", "operator": "eq", "name": "oracle communications session report manager"}, {"cpeName": "oracle:communications_session_report_manager", "version": "8.2.1", "operator": "eq", "name": "oracle communications session report manager"}, {"cpeName": "oracle:communications_session_route_manager", "version": "8.1.1", "operator": "eq", "name": "oracle communications session route manager"}, {"cpeName": "oracle:communications_session_route_manager", "version": "8.2.0", "operator": "eq", "name": "oracle communications session route manager"}, {"cpeName": "oracle:communications_session_route_manager", "version": "8.2.1", "operator": "eq", "name": "oracle communications session route manager"}, {"cpeName": "oracle:primavera_gateway", "version": "16.2.11", "operator": "le", "name": "oracle primavera gateway"}, {"cpeName": "oracle:communications_diameter_signaling_router", "version": "8.2.1", "operator": "eq", "name": "oracle communications diameter signaling router"}, {"cpeName": "oracle:communications_diameter_signaling_router", "version": "8.0.0", "operator": "eq", "name": "oracle communications diameter signaling router"}, {"cpeName": "oracle:communications_diameter_signaling_router", "version": "8.1", "operator": "eq", "name": "oracle communications diameter signaling router"}, {"cpeName": "oracle:communications_diameter_signaling_router", "version": "8.2", "operator": "eq", "name": "oracle communications diameter signaling router"}, {"cpeName": "oracle:primavera_gateway", "version": "17.12.7", "operator": "le", "name": "oracle primavera gateway"}, {"cpeName": "oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank", "version": "8.0.4", "operator": "eq", "name": "oracle financial services regulatory reporting for de nederlandsche bank"}, {"cpeName": "oracle:banking_enterprise_collections", "version": "2.8.0", "operator": "le", "name": "oracle banking enterprise collections"}, {"cpeName": "oracle:banking_platform", "version": "2.10.0", "operator": "le", "name": "oracle banking platform"}, {"cpeName": "oracle:primavera_gateway", "version": "19.12.4", "operator": "le", "name": "oracle primavera gateway"}, {"cpeName": "oracle:primavera_gateway", "version": "18.8.9", "operator": "le", "name": "oracle primavera gateway"}, {"cpeName": "oracle:communications_operations_monitor", "version": "4.3", "operator": "le", "name": "oracle communications operations monitor"}, {"cpeName": "oracle:communications_analytics", "version": "12.1.1", "operator": "eq", "name": "oracle communications analytics"}, {"cpeName": "oracle:healthcare_translational_research", "version": "3.3.1", "operator": "eq", "name": "oracle healthcare translational research"}, {"cpeName": "oracle:healthcare_translational_research", "version": "3.3.2", "operator": "eq", "name": "oracle healthcare translational research"}, {"cpeName": "oracle:healthcare_translational_research", "version": "3.4.0", "operator": "eq", "name": "oracle healthcare translational research"}, {"cpeName": "oracle:healthcare_translational_research", "version": "3.2.1", "operator": "eq", "name": "oracle healthcare translational research"}, {"cpeName": "oracle:primavera_gateway", "version": "15.2.18", "operator": "eq", "name": "oracle primavera gateway"}, {"cpeName": "oracle:big_data_discovery", "version": "1.6", "operator": "eq", "name": "oracle big data discovery"}, {"cpeName": "oracle:business_process_management_suite", "version": "12.2.1.4.0", "operator": "eq", "name": "oracle business process management suite"}, {"cpeName": "oracle:bi_publisher", "version": "5.5.0.0.0", "operator": "eq", "name": "oracle bi publisher"}, {"cpeName": "oracle:transportation_management", "version": "1.4.3", "operator": "eq", "name": "oracle transportation management"}, {"cpeName": "oracle:agile_product_lifecycle_management_for_process", "version": "6.1", "operator": "eq", "name": "oracle agile product lifecycle management for process"}, {"cpeName": "oracle:jdeveloper_and_adf", "version": "11.1.1.9.0", "operator": "eq", "name": "oracle jdeveloper and adf"}, {"cpeName": "oracle:jdeveloper_and_adf", "version": "12.1.3.0.0", "operator": "eq", "name": "oracle jdeveloper and adf"}, {"cpeName": "oracle:jdeveloper_and_adf", "version": "12.2.1.3.0", "operator": "eq", "name": "oracle jdeveloper and adf"}, {"cpeName": "oracle:financial_services_retail_performance_analytics", "version": "8.0.6", "operator": "eq", "name": "oracle financial services retail performance analytics"}, {"cpeName": "oracle:financial_services_retail_performance_analytics", "version": "8.0.7", "operator": "eq", "name": "oracle financial services retail performance analytics"}, {"cpeName": "oracle:financial_services_enterprise_financial_performance_analytics", "version": "8.0.6", "operator": "eq", "name": "oracle financial services enterprise financial performance analytics"}, {"cpeName": "oracle:financial_services_enterprise_financial_performance_analytics", "version": "8.0.7", "operator": "eq", "name": "oracle financial services enterprise financial performance analytics"}, {"cpeName": "oracle:healthcare_foundation", "version": "7.2.2", "operator": "eq", "name": "oracle healthcare foundation"}, {"cpeName": "oracle:application_testing_suite", "version": "13.2", "operator": "eq", "name": "oracle application testing suite"}, {"cpeName": "oracle:application_service_level_management", "version": "13.2.0.0", "operator": "eq", "name": "oracle application service level management"}, {"cpeName": "oracle:application_service_level_management", "version": "13.3.0.0", "operator": "eq", "name": "oracle application service level management"}, {"cpeName": "oracle:communications_operations_monitor", "version": "4.1.0", "operator": "eq", "name": "oracle communications operations monitor"}, {"cpeName": "oracle:storagetek_tape_analytics_sw_tool", "version": "2.3.0", "operator": "eq", "name": "oracle storagetek tape analytics sw tool"}, {"cpeName": "oracle:diagnostic_assistant", "version": "2.12.36", "operator": "eq", "name": "oracle diagnostic assistant"}, {"cpeName": "oracle:siebel_mobile_applications", "version": "19.8", "operator": "le", "name": "oracle siebel mobile applications"}, {"cpeName": "oracle:policy_automation", "version": "12.2.15", "operator": "le", "name": "oracle policy automation"}, {"cpeName": "oracle:policy_automation_for_mobile_devices", "version": "12.2.15", "operator": "le", "name": "oracle policy automation for mobile devices"}, {"cpeName": "oracle:utilities_mobile_workforce_management", "version": "2.3.0.3", "operator": "le", "name": "oracle utilities mobile workforce management"}, {"cpeName": "oracle:tape_library_acsls", "version": "8.5.1", "operator": "eq", "name": "oracle tape library acsls"}, {"cpeName": "oracle:tape_library_acsls", "version": "8.5", "operator": "eq", "name": "oracle tape library acsls"}, {"cpeName": "oracle:communications_interactive_session_recorder", "version": "6.4", "operator": "le", "name": "oracle communications interactive session recorder"}, {"cpeName": "oracle:real-time_scheduler", "version": "2.3.0.3", "operator": "le", "name": "oracle real-time scheduler"}, {"cpeName": "oracle:financial_services_institutional_performance_analytics", "version": "8.0.7", "operator": "le", "name": "oracle financial services institutional performance analytics"}, {"cpeName": "oracle:financial_services_data_foundation", "version": "8.0.8", "operator": "le", "name": "oracle financial services data foundation"}, {"cpeName": "oracle:financial_services_liquidity_risk_management", "version": "8.0.2", "operator": "eq", "name": "oracle financial services liquidity risk management"}, {"cpeName": "oracle:financial_services_analytical_applications_reconciliation_framework", "version": "8.0.7", "operator": "le", "name": "oracle financial services analytical applications reconciliation framework"}, {"cpeName": "oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach", "version": "8.0.7", "operator": "le", "name": "oracle financial services basel regulatory capital internal ratings based approach"}, {"cpeName": "oracle:financial_services_basel_regulatory_capital_basic", "version": "8.0.7", "operator": "le", "name": "oracle financial services basel regulatory capital basic"}, {"cpeName": "oracle:financial_services_analytical_applications_infrastructure", "version": "8.1.0", "operator": "le", "name": "oracle financial services analytical applications infrastructure"}, {"cpeName": "oracle:system_utilities", "version": "19.1", "operator": "eq", "name": "oracle system utilities"}, {"cpeName": "oracle:insurance_performance_insight", "version": "8.0.7", "operator": "eq", "name": "oracle insurance performance insight"}, {"cpeName": "oracle:insurance_ifrs_17_analyzer", "version": "8.0.6", "operator": "eq", "name": "oracle insurance ifrs 17 analyzer"}, {"cpeName": "oracle:insurance_ifrs_17_analyzer", "version": "8.0.7", "operator": "eq", "name": "oracle insurance ifrs 17 analyzer"}, {"cpeName": "oracle:financial_services_revenue_management_and_billing", "version": "2.4.0.1", "operator": "eq", "name": "oracle financial services revenue management and billing"}, {"cpeName": "oracle:financial_services_regulatory_reporting_for_european_banking_authority", "version": "8.0.7", "operator": "eq", "name": "oracle financial services regulatory reporting for european banking authority"}, {"cpeName": "oracle:insurance_data_foundation", "version": "8.0.7", "operator": "le", "name": "oracle insurance data foundation"}, {"cpeName": "oracle:financial_services_revenue_management_and_billing", "version": "2.4.0.0", "operator": "eq", "name": "oracle financial services revenue management and billing"}, {"cpeName": "oracle:financial_services_retail_customer_analytics", "version": "8.0.6", "operator": "le", "name": "oracle financial services retail customer analytics"}, {"cpeName": "oracle:financial_services_regulatory_reporting_for_us_federal_reserve", "version": "8.0.7", "operator": "le", "name": "oracle financial services regulatory reporting for us federal reserve"}, {"cpeName": "oracle:financial_services_regulatory_reporting_for_european_banking_authority", "version": "8.0.6", "operator": "eq", "name": "oracle financial services regulatory reporting for european banking authority"}, {"cpeName": "oracle:financial_services_price_creation_and_discovery", "version": "8.0.7", "operator": "le", "name": "oracle financial services price creation and discovery"}, {"cpeName": "oracle:financial_services_profitability_management", "version": "8.0.7", "operator": "le", "name": "oracle financial services profitability management"}, {"cpeName": "oracle:communications_eagle_application_processor", "version": "16.4.0", "operator": "le", "name": "oracle communications eagle application processor"}, {"cpeName": "joomla:joomla\\!", "version": "3.9.4", "operator": "le", "name": "joomla joomla\\!"}, {"cpeName": "juniper:junos", "version": "21.2", "operator": "eq", "name": "juniper junos"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:jquery:jquery:3.4.0:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.0", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:drupal:drupal:7.66:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.66", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.5.15:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0", "versionEndExcluding": "8.5.15", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.6.15:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0", "versionEndExcluding": "8.6.15", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:backdropcms:backdrop:1.11.9:*:*:*:*:*:*:*", "versionStartIncluding": "1.11.0", "versionEndExcluding": "1.11.9", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:backdropcms:backdrop:1.12.6:*:*:*:*:*:*:*", "versionStartIncluding": "1.12.0", "versionEndExcluding": "1.12.6", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndIncluding": "3.1.3", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*", "versionStartIncluding": "17.7", "versionEndIncluding": "17.12", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.2", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.5", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.5:*:*:*:*:*:*:*", "versionStartIncluding": "7.3.3", "versionEndIncluding": "7.3.5", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:knowledge:8.6.3:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0", "versionEndIncluding": "8.6.3", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_express:19.1:*:*:*:*:*:*:*", "versionEndExcluding": "19.1", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:8.0.9:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.6", "versionEndIncluding": "8.0.9", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_simphony:19.1.2:*:*:*:*:*:*:*", "versionStartIncluding": "19.1.0", "versionEndIncluding": "19.1.2", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.0.0:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0.0", "versionEndIncluding": "5.6.0.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:16.2.11:*:*:*:*:*:*:*", "versionStartIncluding": "16.2.0", "versionEndIncluding": "16.2.11", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:17.12.7:*:*:*:*:*:*:*", "versionStartIncluding": "17.12.0", "versionEndIncluding": "17.12.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_enterprise_collections:2.8.0:*:*:*:*:*:*:*", "versionStartIncluding": "2.7.0", "versionEndIncluding": "2.8.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndIncluding": "2.10.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:19.12.4:*:*:*:*:*:*:*", "versionStartIncluding": "19.12.0", "versionEndIncluding": "19.12.4", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:18.8.9:*:*:*:*:*:*:*", "versionStartIncluding": "18.8.0", "versionEndIncluding": "18.8.9", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*", "versionStartIncluding": "4.1", "versionEndIncluding": "4.3", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:siebel_mobile_applications:19.8:*:*:*:*:*:*:*", "versionEndIncluding": "19.8", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation:12.2.15:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.0", "versionEndIncluding": "12.2.15", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.15:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.0", "versionEndIncluding": "12.2.15", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0.3:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0.1", "versionEndIncluding": "2.3.0.3", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndIncluding": "6.4", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:real-time_scheduler:2.3.0.3:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0.1", "versionEndIncluding": "2.3.0.3", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_foundation:8.0.8:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.8", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.2", "versionEndIncluding": "8.1.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:insurance_data_foundation:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.6", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.4", "versionEndIncluding": "8.0.7", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_eagle_application_processor:16.4.0:*:*:*:*:*:*:*", "versionStartIncluding": "16.1.0", "versionEndIncluding": "16.4.0", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:joomla:joomla\\!:3.9.4:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndIncluding": "3.9.4", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.drupal.org/sa-core-2019-006", "name": "https://www.drupal.org/sa-core-2019-006", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006", "name": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/jquery/jquery/pull/4333", "name": "https://github.com/jquery/jquery/pull/4333", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b", "name": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "name": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "refsource": "MISC", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://backdropcms.org/security/backdrop-sa-core-2019-009", "name": "https://backdropcms.org/security/backdrop-sa-core-2019-009", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2019/dsa-4434", "name": "DSA-4434", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}, {"url": "https://seclists.org/bugtraq/2019/Apr/32", "name": "20190421 [SECURITY] [DSA 4434-1] drupal7 security update", "refsource": "BUGTRAQ", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.securityfocus.com/bid/108023", "name": "108023", "refsource": "BID", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"]}, {"url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E", "name": "[airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E", "name": "[airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E", "name": "[airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E", "name": "[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E", "name": "[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html", "name": "[debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/", "name": "FEDORA-2019-eba8e44ee6", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/", "name": "FEDORA-2019-1a3edd7e8a", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/", "name": "FEDORA-2019-7eaf0bbe7c", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/", "name": "FEDORA-2019-2a0ce0c58c", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/", "name": "FEDORA-2019-f563e66380", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/", "name": "FEDORA-2019-a06dffab1c", "refsource": "FEDORA", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://seclists.org/bugtraq/2019/May/18", "name": "20190509 dotCMS v5.1.1 Vulnerabilities", "refsource": "BUGTRAQ", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", "name": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "http://seclists.org/fulldisclosure/2019/May/13", "name": "20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability", "refsource": "FULLDISC", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2019/May/11", "name": "20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability", "refsource": "FULLDISC", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2019/May/10", "name": "20190510 dotCMS v5.1.1 Vulnerabilities", "refsource": "FULLDISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", "name": "[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2019/06/03/2", "name": "[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)", "refsource": "MLIST", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", "name": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:1456", "name": "RHSA-2019:1456", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2019/dsa-4460", "name": "DSA-4460", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}, {"url": "https://seclists.org/bugtraq/2019/Jun/12", "name": "20190612 [SECURITY] [DSA 4460-1] mediawiki security update", "refsource": "BUGTRAQ", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/", "name": "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "name": "openSUSE-SU-2019:1839", "refsource": "SUSE", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHBA-2019:1570", "name": "RHBA-2019:1570", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "name": "openSUSE-SU-2019:1872", "refsource": "SUSE", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E", "name": "[roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:2587", "name": "RHSA-2019:2587", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0001/", "name": "https://security.netapp.com/advisory/ntap-20190919-0001/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:3023", "name": "RHSA-2019:3023", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:3024", "name": "RHSA-2019:3024", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://www.synology.com/security/advisory/Synology_SA_19_19", "name": "https://www.synology.com/security/advisory/Synology_SA_19_19", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", "name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://www.tenable.com/security/tns-2019-08", "name": "https://www.tenable.com/security/tns-2019-08", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", "name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html", "name": "[debian-lts-announce] 20200224 [SECURITY] [DLA 2118-1] otrs2 security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html", "name": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenable.com/security/tns-2020-02", "name": "https://www.tenable.com/security/tns-2020-02", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "name": "N/A", "refsource": "N/A", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E", "name": "[syncope-dev] 20200423 Jquery version on 2.1.x/2.0.x", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E", "name": "[flink-dev] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20200518 [jira] [Commented] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20200518 [jira] [Updated] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20200518 [jira] [Assigned] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E", "name": "[flink-issues] 20200520 [jira] [Closed] (FLINK-17675) Resolve CVE-2019-11358 from jquery", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E", "name": "[storm-dev] 20200708 [GitHub] [storm] Crim opened a new pull request #3305: [STORM-3553] Upgrade jQuery from 1.11.1 to 3.5.1", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", "name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "name": "N/A", "refsource": "N/A", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1", "name": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update", "refsource": "MLIST", "tags": []}], "product_info": [{"vendor": "Oracle", "product": "Application_testing_suite"}, {"vendor": "Oracle", "product": "Communications_diameter_signaling_router"}, {"vendor": "Oracle", "product": "Communications_element_manager"}, {"vendor": "Oracle", "product": "Financial_services_liquidity_risk_management"}, {"vendor": "Oracle", "product": "Storagetek_tape_analytics_sw_tool"}, {"vendor": "Oracle", "product": "Communications_webrtc_session_controller"}, {"vendor": "Oracle", "product": "Insurance_performance_insight"}, {"vendor": "Oracle", "product": "Primavera_unifier"}, {"vendor": "Oracle", "product": "Financial_services_basel_regulatory_capital_basic"}, {"vendor": "Oracle", "product": "Peoplesoft_enterprise_peopletools"}, {"vendor": "Oracle", "product": "Communications_session_route_manager"}, {"vendor": "Oracle", "product": "Financial_services_liquidity_risk_measurement_and_management"}, {"vendor": "Oracle", "product": "Financial_services_institutional_performance_analytics"}, {"vendor": "Oracle", "product": "Jdeveloper"}, {"vendor": "Oracle", "product": "Financial_services_market_risk_measurement_and_management"}, {"vendor": "Oracle", "product": "Insurance_accounting_analyzer"}, {"vendor": "Oracle", "product": "Policy_automation_connector_for_siebel"}, {"vendor": "Oracle", "product": "Financial_services_profitability_management"}, {"vendor": "Oracle", "product": "Financial_services_revenue_management_and_billing"}, {"vendor": "Oracle", "product": "Financial_services_balance_sheet_planning"}, {"vendor": "Oracle", "product": "Communications_operations_monitor"}, {"vendor": "Oracle", "product": "Hospitality_materials_control"}, {"vendor": "Oracle", "product": "Jd_edwards_enterpriseone_tools"}, {"vendor": "Juniper", "product": "Junos"}, {"vendor": "Oracle", "product": "Financial_services_data_integration_hub"}, {"vendor": "Oracle", "product": "Communications_session_report_manager"}, {"vendor": "Oracle", "product": "Knowledge"}, {"vendor": "Oracle", "product": "Business_process_management_suite"}, {"vendor": "Opensuse", "product": "Backports_sle"}, {"vendor": "Oracle", "product": "Real-time_scheduler"}, {"vendor": "Oracle", "product": "Financial_services_loan_loss_forecasting_and_provisioning"}, {"vendor": "Oracle", "product": "Application_service_level_management"}, {"vendor": "Oracle", "product": "Financial_services_regulatory_reporting_for_us_federal_reserve"}, {"vendor": "Oracle", "product": "Enterprise_manager_ops_center"}, {"vendor": "Oracle", "product": "Banking_enterprise_collections"}, {"vendor": "Oracle", "product": "Financial_services_data_governance_for_us_regulatory_reporting"}, {"vendor": "Oracle", "product": "Retail_central_office"}, {"vendor": "Oracle", "product": "Application_express"}, {"vendor": "Oracle", "product": "Big_data_discovery"}, {"vendor": "Oracle", "product": "Insurance_ifrs_17_analyzer"}, {"vendor": "Oracle", "product": "Communications_eagle_application_processor"}, {"vendor": "Oracle", "product": "Fusion_middleware_mapviewer"}, {"vendor": "Oracle", "product": "Financial_services_retail_performance_analytics"}, {"vendor": "Fedoraproject", "product": "Fedora"}, {"vendor": "Oracle", "product": "Communications_unified_inventory_management"}, {"vendor": "Oracle", "product": "Retail_back_office"}, {"vendor": "Oracle", "product": "Weblogic_server"}, {"vendor": "Oracle", "product": "Financial_services_funds_transfer_pricing"}, {"vendor": "Oracle", "product": "Financial_services_enterprise_financial_performance_analytics"}, {"vendor": "Oracle", "product": "Financial_services_asset_liability_management"}, {"vendor": "Oracle", "product": "Insurance_allocation_manager_for_enterprise_profitability"}, {"vendor": "Oracle", "product": "Utilities_mobile_workforce_management"}, {"vendor": "Oracle", "product": "Tape_library_acsls"}, {"vendor": "Oracle", "product": "Financial_services_price_creation_and_discovery"}, {"vendor": "Oracle", "product": "Primavera_gateway"}, {"vendor": "Oracle", "product": "Financial_services_regulatory_reporting_for_de_nederlandsche_bank"}, {"vendor": "Oracle", "product": "Transportation_management"}, {"vendor": "Jquery", "product": "Jquery"}, {"vendor": "Oracle", "product": "Financial_services_analytical_applications_infrastructure"}, {"vendor": "Opensuse", "product": "Leap"}, {"vendor": "Redhat", "product": "Cloudforms"}, {"vendor": "Oracle", "product": "Financial_services_analytical_applications_reconciliation_framework"}, {"vendor": "Oracle", "product": "Insurance_insbridge_rating_and_underwriting"}, {"vendor": "Backdropcms", "product": "Backdrop"}, {"vendor": "Oracle", "product": "Bi_publisher"}, {"vendor": "Oracle", "product": "System_utilities"}, {"vendor": "Oracle", "product": "Retail_customer_insights"}, {"vendor": "Oracle", "product": "Financial_services_hedge_management_and_ifrs_valuations"}, {"vendor": "Oracle", "product": "Communications_application_session_controller"}, {"vendor": "Oracle", "product": "Siebel_ui_framework"}, {"vendor": "Oracle", "product": "Agile_product_lifecycle_management_for_process"}, {"vendor": "Oracle", "product": "Financial_services_retail_customer_analytics"}, {"vendor": "Oracle", "product": "Insurance_data_foundation"}, {"vendor": "Oracle", "product": "Financial_services_data_foundation"}, {"vendor": "Oracle", "product": "Hospitality_simphony"}, {"vendor": "Netapp", "product": "Oncommand_system_manager"}, {"vendor": "Oracle", "product": "Policy_automation"}, {"vendor": "Oracle", "product": "Banking_digital_experience"}, {"vendor": "Joomla", "product": "Joomla\\!"}, {"vendor": "Oracle", "product": "Webcenter_sites"}, {"vendor": "Oracle", "product": "Retail_point-of-service"}, {"vendor": "Oracle", "product": "Rest_data_services"}, {"vendor": "Oracle", "product": "Retail_returns_management"}, {"vendor": "Drupal", "product": "Drupal"}, {"vendor": "Oracle", "product": "Financial_services_basel_regulatory_capital_internal_ratings_based_approach"}, {"vendor": "Oracle", "product": "Communications_analytics"}, {"vendor": "Debian", "product": "Debian_linux"}, {"vendor": "Oracle", "product": "Identity_manager"}, {"vendor": "Oracle", "product": "Hospitality_guest_access"}, {"vendor": "Netapp", "product": "Snapcenter"}, {"vendor": "Oracle", "product": "Service_bus"}, {"vendor": "Oracle", "product": "Jdeveloper_and_adf"}, {"vendor": "Oracle", "product": "Healthcare_foundation"}, {"vendor": "Redhat", "product": "Virtualization_manager"}, {"vendor": "Oracle", "product": "Communications_billing_and_revenue_management"}, {"vendor": "Oracle", "product": "Communications_interactive_session_recorder"}, {"vendor": "Oracle", "product": "Siebel_mobile_applications"}, {"vendor": "Oracle", "product": "Policy_automation_for_mobile_devices"}, {"vendor": "Oracle", "product": "Communications_services_gatekeeper"}, {"vendor": "Oracle", "product": "Banking_platform"}, {"vendor": "Oracle", "product": "Financial_services_regulatory_reporting_for_european_banking_authority"}, {"vendor": "Oracle", "product": "Diagnostic_assistant"}, {"vendor": "Oracle", "product": "Retail_customer_management_and_segmentation_foundation"}, {"vendor": "Oracle", "product": "Healthcare_translational_research"}, {"vendor": "Oracle", "product": "Enterprise_session_border_controller"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "exploits": [], "assigned": "2019-04-19T00:00:00"}

{"osv": [{"lastseen": "2022-08-10T07:14:30", "description": "\nA cross-site scripting vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\n<https://www.drupal.org/sa-core-2019-006> .\n\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u8.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\n<https://security-tracker.debian.org/tracker/drupal7>\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-04-20T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2022-08-10T07:14:25", "id": "OSV:DSA-4434-1", "href": "https://osv.dev/vulnerability/DSA-4434-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-05T12:50:16", "description": "jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-04-26T16:29:11", "type": "osv", "title": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2023-09-05T12:48:31", "id": "OSV:GHSA-6C3J-C64M-QHGQ", "href": "https://osv.dev/vulnerability/GHSA-6c3j-c64m-qhgq", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-21T08:17:42", "description": "\nIt was discovered that the jQuery version embedded in OTRS, a ticket\nrequest system, was prone to a cross site scripting vulnerability in\njQuery.extend().\n\n\nFor Debian 8 Jessie, this problem has been fixed in version\n3.3.18-1+deb8u14.\n\n\nWe recommend that you upgrade your otrs2 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-02-24T00:00:00", "type": "osv", "title": "otrs2 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2022-07-21T05:53:03", "id": "OSV:DLA-2118-1", "href": "https://osv.dev/vulnerability/DLA-2118-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-28T06:21:04", "description": "\nSeveral security vulnerabilities have been discovered in drupal7, a\nPHP web site platform. The vulnerabilities affect the embedded versions\nof the jQuery JavaScript library and the Typo3 Phar Stream Wrapper\nlibrary.\n\n\n* [CVE-2019-11358](https://security-tracker.debian.org/tracker/CVE-2019-11358)\nIt was discovered that the jQuery version embedded in Drupal was\n prone to a cross site scripting vulnerability in jQuery.extend().\n\n\nFor additional information, please refer to the upstream advisory\n at <https://www.drupal.org/sa-core-2019-006.>\n* [CVE-2019-11831](https://security-tracker.debian.org/tracker/CVE-2019-11831)\nIt was discovered that incomplete validation in a Phar processing\n library embedded in Drupal, a fully-featured content management\n framework, could result in information disclosure.\n\n\nFor additional information, please refer to the upstream advisory\n at <https://www.drupal.org/sa-core-2019-007.>\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n7.32-1+deb8u17.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-20T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2023-06-28T06:20:59", "id": "OSV:DLA-1797-1", "href": "https://osv.dev/vulnerability/DLA-1797-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T07:14:33", "description": "\nMultiple security vulnerabilities have been discovered in MediaWiki, a\nwebsite engine for collaborative work, which may result in authentication\nbypass, denial of service, cross-site scripting, information disclosure\nand bypass of anti-spam measures.\n\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:1.27.7-1~deb9u1.\n\n\nWe recommend that you upgrade your mediawiki packages.\n\n\nFor the detailed security status of mediawiki please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/mediawiki](https://security-tracker.debian.org/tracker/mediawiki)\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-12T00:00:00", "type": "osv", "title": "mediawiki - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-12472", "CVE-2019-12474", "CVE-2019-12471", "CVE-2019-12473", "CVE-2019-12470", "CVE-2019-12467", "CVE-2019-12466", "CVE-2019-12469", "CVE-2019-12468"], "modified": "2022-08-10T07:14:31", "id": "OSV:DSA-4460-1", "href": "https://osv.dev/vulnerability/DSA-4460-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-24T01:36:43", "description": "## Summary\n\nA security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-11358](<https://ibm.service-now.com/sn_vul_nvd_entry.do?sys_id=016ad1181bc9b700d978fd12dd4bcbc1&sysparm_record_target=sn_vul_entry&sysparm_record_row=1&sysparm_record_rows=1&sysparm_record_list=sys_id%3D016ad1181bc9b700d978fd12dd4bcbc1>)\n\nCVSS Base Score: 6.1 \n**DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.\n\n## Affected Products and Versions\n\nPrincipal Products and Versions \n--- \nDataQuant for z/OS 2.1 \n \n## Remediation/Fixes\n\n**Steps to update jQuery \u2013 DataQuant**\n\n 1. Download the compressed, jQuery version 3.4.1 from below link - \n\n[https://code.jquery.com/jquery-3.4.1.min.js](<https://urldefense.proofpoint.com/v2/url?u=https-3A__code.jquery.com_jquery-2D3.4.1.min.js&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=sv7nAqiLHHTF-vEK--hw187dMlAs7F3lH9XK6W9I4sQ&m=Y_vEvRJ7sWP8DTymUdtfKqua_WZ4MxDbBna68_b8VqU&s=ZekpIXKdCpAnYHnHu5K7w59mGLHR6Aw_34vDfIhM8Mw&e=>)\n\n2\\. Open WebSphere server Administrative console and stop the DataQuant application, if it is running\n\n3\\. Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till \u201cplugins\u201d directory\n\nExample plugins directory path:\n\nC:\\Program Files\\IBM\\WebSphere\\AppServer\\profiles\\AppSrv01\\installedApps\\MyMachineNode01Cell\\QMFWebSphere122_war.ear\\QMFWebSphere122.war\\WEB-INF\\eclipse\\plugins\n\n4\\. Select the folder which name starts with \u201ccom.ibm.bi.reporter_\u201d and copy it to a temp directory\n\n5\\. Within the temp backup directory in step # 4 above, navigate to \u201creporter-config/html5/scripts\u201d directory\n\n6\\. Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1\n\n7\\. Go to reporter-config/html5 directory\n\n8\\. Update \u201cindex.html\u201d, \u201cindex_android.html\u201d and \u201cindex_ios.html\u201d files using text editor and to point to new jQuery file as below:\n\n&lt;script type=\"text/javascript\" src=\"{1}/html5/scripts/jquery-1.11.3.min.js\"&gt;&lt;/script&gt;\n\nTo be updated with:\n\n&lt;script type=\"text/javascript\" src=\"{1}/html5/scripts/jquery-3.4.1.min.js\"&gt;&lt;/script&gt;\n\n9\\. Copy the updated folder into the plugins directory path as per step # 3 &amp; step #4\n\n10\\. Start the DataQuant application in WebSphere Administrative console\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-02-12T21:24:38", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been idenfied in jQuery which affects DataQuant for z/OS (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2021-02-12T21:24:38", "id": "7C6822723C8DED69D9FBC4D1DC69A54DC5A848CD239869AB0C90FC327D194CAA", "href": "https://www.ibm.com/support/pages/node/1103991", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-24T01:39:34", "description": "## Summary\n\nSecurity Bulletin: Vulnerability in jQuery affects IBM Watson Studio Local\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Studio - Local| 1.2.3 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| Remediation/First Fix \n---|---|--- \nIBM Watson Studio Local| 2.1| <https://www.ibm.com/software/passportadvantage/pao_customer.html> \nIBM Cloud Pak for Data| 2.5| <https://www.ibm.com/software/passportadvantage/pao_customer.html> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-12-18T17:50:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in jQuery affects IBM Watson Studio Local", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-12-18T17:50:38", "id": "FD3F7FDFA4DAAB71D175F1E137285D1F69A465922921368206BF33D36AB43D22", "href": "https://www.ibm.com/support/pages/node/1138456", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T05:50:06", "description": "## Summary\n\nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to cross-site scripting in jQuery, caused by improper validation of user-supplied input in Drupal core. (CVE-2019-11358). jQuery is used by the runtime components included in IBM Watson Speech. Please read the details for remediation below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.0.0 - 4.5.0 \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nIBM recommends addressing the vulnerability now by upgrading. \n\nProduct(s)| Version(s) \n| Remediation/Fix/Instructions \n---|---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.5.1| The fix in 4.5.1 applies to all versions listed (4.0.0-4.5.0). Version 4.5.1 can be downloaded and installed from: \n[https://www.ibm.com/docs/en/cloud-pa](<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.5.x?topic=installing>)[ks/cp-data/4.5.x?topic=installing](<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.5.x?topic=installing>) \n \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-01-12T21:59:00", "type": "ibm", "title": "Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to cross-site scripting in jQuery (CVE-2019-11358).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2023-01-12T21:59:00", "id": "88982C3BC765C275837ADC018CDBF4C480BAB80750C3DC007054B3AED0A5724E", "href": "https://www.ibm.com/support/pages/node/6610361", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-24T01:40:05", "description": "## Summary\n\nIBM Maximo Asset Management is vulnerable to cross-site scripting. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n**DESCRIPTION:** jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159633> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions of the IBM Maximo Asset Management core product, and all other IBM Maximo Industry Solution and IBM Control Desk products, regardless of their own version, if they are currently installed on top of an affected IBM Maximo Asset Management. * \n \n \n**Maximo Asset Management core product affected versions:** \nMaximo Asset Management 7.6 \n \n**Industry Solutions products affected if using an affected core version:** \nMaximo for Aviation \nMaximo for Life Sciences \nMaximo for Nuclear Power \nMaximo for Oil and Gas \nMaximo for Transportation \nMaximo for Utilities \n \n**IBM Control Desk products affected if using an affected core version:** \nSmartCloud Control Desk \nIBM Control Desk \nTivoli Integration Composer \n \n* To determine the core product version, log in and view System Information. The core product version is the \"Tivoli's process automation engine\" version. Please consult the [_Product Coexistence Matrix_](<https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20Maximo%20Asset%20Management/page/Product%20compatibility>) for a list of supported product combinations.\n\n## Remediation/Fixes\n\nThe recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central ([_What is Fix Central?_](< https://www-945.ibm.com/support/fixcentral/help?page=start>)) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the \u2018readme\u2019 documentation provided with each fix pack or interim fix.\n\n**For Maximo Asset Management 7.6: **\n\n**VRM** | **Fix Pack, Feature Pack, or Interim Fix** | **Download ** \n---|---|--- \n7.6.1.1 | Maximo Asset Management 7.6.1.1 iFix: \n[7.6.1.1-TIV-MBS-IFIX003 ](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=7.6.1.1&platform=All&function=fixId&fixids=7.6.1.1-TIV-MBS-IFIX003&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>)or latest Interim Fix available | [_FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=7.6.1.1&platform=All&function=all>) \n7.6.0.x | Please contact IBM Support to request an LA Fix | [FixCentral](<https://www.ibm.com/support/home/>) \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-12-06T20:52:02", "type": "ibm", "title": "Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-12-06T20:52:02", "id": "18F70AA47E2E43F4DA8767A4A95C24F6E49AC9CA2DA52A0DD0B10595AB37B715", "href": "https://www.ibm.com/support/pages/node/1096186", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T17:46:32", "description": "## Summary\n\njQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM Performance Management has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud APM, Base Private| 8.1.4 \nIBM Cloud APM, Advanced Private| 8.1.4 \n \n\n\n## Remediation/Fixes\n\nThe vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0010 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/6120993>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-04-14T11:18:19", "type": "ibm", "title": "Security Bulletin: A vulnerability in jQuery affects the IBM Performance Management product (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-04-14T11:18:19", "id": "2FBA4A0FB6AAAC5B96D5638614DE0F0DD6C37754E93BCB6DD5A92FF9E1771D92", "href": "https://www.ibm.com/support/pages/node/6173889", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-24T01:39:17", "description": "## Summary\n\nIBM Tivoli Netcool Impact has addressed the following jQuery vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact 7.1.0| 7.1.0.0~7.1.0.16 \n \n\n\n## Remediation/Fixes\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| _7.1.0.17_| _IJ17708_| [IBM Tivoli Netcool Impact 7.1.0 FP17](<https://www.ibm.com/support/pages/ibm-tivoli-netcoolimpact-v710-fix-pack-17-710-tiv-nci-fp0017> \"\" ) \n \n## Workarounds and Mitigations\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| _7.1.0.17_| _IJ17708_| [IBM Tivoli Netcool Impact 7.1.0 FP17](<https://www.ibm.com/support/pages/ibm-tivoli-netcoolimpact-v710-fix-pack-17-710-tiv-nci-fp0017> \"\" ) \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-12-20T08:47:33", "id": "46CE56C60CF59C2CE96E832E3949D9036A709BD9A0B3F2E5A02B11F84C34294E", "href": "https://www.ibm.com/support/pages/node/1105509", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-23T21:46:15", "description": "## Summary\n\nIBM MessageSight/MessageGateway has addressed the following jQuery vulnerability: \n \nCVE-2019-11358: jQuery mishandles jQuery.extend(true, {}, ...)\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n**DESCRIPTION:** jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159633> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected IBM MessageSight | Affected Versions \n---|--- \nIBM MessageSight | 1.2.0.0 - 1.2.0.3 \nIBM MessageSight | 2.0.0.0 - 2.0.0.2 \nIBM MessageSight | 5.0.0.0 \nIBM MessageGateway | 5.0.0.1 \n \n## Remediation/Fixes\n\nIBM MessageSight | 1.2.0.3 | [\n\n1.2.0.3-IBM-IMA-IFIT29187\n\n](<http://www.ibm.com/support/docview.wss?uid=ibm10886203>) \n---|---|--- \nIBM MessageSight | 2.0.0.2 | [\n\n2.0.0.2-IBM-IMA-IFIT29187\n\n](<http://www.ibm.com/support/docview.wss?uid=ibm10886207>) \nIBM MessageSight | 5.0.0.0 | [\n\n5.0.0.0-IBM-IMA-IFIT29187\n\n](<http://www.ibm.com/support/docview.wss?uid=ibm10886211>) \nIBM MessageGateway | 5.0.0.1 | [\n\n5.0.0.1-IBM-IMA-IFIT29187\n\n](<http://www.ibm.com/support/docview.wss?uid=ibm10886213>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-06-05T06:20:01", "type": "ibm", "title": "Security Bulletin: IBM MessageSight/MessageGateway is affected by the following jQuery vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-06-05T06:20:01", "id": "7D67D80D4B93C266A649B84CAFDD0C7C0525E4EF25DE3D86F84615A02E71F9A3", "href": "https://www.ibm.com/support/pages/node/886357", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T17:46:51", "description": "## Summary\n\njQuery used by IBM Tririga Application Platform is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TRIRIGA Application Platform| 3.5.3 \nIBM TRIRIGA Application Platform| 3.6.0 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to download the appropriate Fix Pack from Fix Central ([What is Fix Central?](<http://www.ibm.com/systems/support/fixes/en/fixcentral/help/faq_sw.html>)) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. \n\n**Product**| **VRMF**| \n\n**Remediation/First Fix** \n \n---|---|--- \nIBM TRIRIGA Application Platform| 3.5.3.8| The fix is available for download on [FixCentral](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+TRIRIGA+Application+Platform&release=3.5.3.8&platform=All&function=all> \"FixCentral\" ). \nIBM TRIRIGA Application Platform| 3.6.0.5| The fix is available for download on [FixCentral](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+TRIRIGA+Application+Platform&release=3.6.0.5&platform=All&function=all> \"FixCentral\" ). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-03-31T22:26:03", "type": "ibm", "title": "Security Bulletin: Vulnerability in jQuery affects IBM Tririga Application Platform (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-03-31T22:26:03", "id": "759B56FD4AA17873CFEF240471D53E2CE3CC4A7775D72A8FF17D44E868820C96", "href": "https://www.ibm.com/support/pages/node/6147993", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T06:14:34", "description": "## Summary\n\nIBM Security Guardium Insights has addressed the following vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium Insights| 2.0.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium Insights| 2.0.1| [https://www.ibm.com/software/passportadvantage/?mhsrc=ibmsearch_a&amp;mhq=pasport%20advantage](<https://www.ibm.com/software/passportadvantage/?mhsrc=ibmsearch_a&mhq=pasport%20advantage>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-10-06T12:30:35", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium Insights is affected by a jQuery vulnerabilitiy (CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2021-10-06T12:30:35", "id": "98B323422CA792F32B2EA7482D9D79B9F9D15C3830E9ED03453DF7CC38205557", "href": "https://www.ibm.com/support/pages/node/6320065", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:46:00", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 used by IBM Cognos Command Center. This issue was disclosed as part of the IBM Java SDK updates in October 2020. IBM Command Center 10.2.4 FP1 IF14 has addressed the applicable CVE. Additionally , a vulnerability in jQuery has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-14797](<https://vulners.com/cve/CVE-2020-14797>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Command Center 10.2.4.1 \n\n\nIBM Cognos Command Center 10.2.4.0\n\n \n\n\n## Remediation/Fixes\n\n[Cognos Command Center 10.2.4 Fix Pack 1 IF14](<https://www.ibm.com/support/pages/node/6406726> \"Cognos Command Center 10.2.4 Fix Pack 1 IF14\" )\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-03-01T16:29:49", "type": "ibm", "title": "Security Bulletin: IBM Cognos Command Center has addressed multiple vulnerabilities (Q12021)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2020-14797"], "modified": "2021-03-01T16:29:49", "id": "C240DF09D934E998A5A6E9F16EE5D00606D3852B389FD502ED34EB411645C177", "href": "https://www.ibm.com/support/pages/node/6406730", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T17:46:42", "description": "## Summary\n\nThe IBM Security Information Queue (ISIQ) web server utilizes a Node.js runtime environment. The environment includes several open source packages with known vulnerabilities. As of ISIQ v1.0.6, the open source packages have been upgraded to the recommended secure versions.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Information Queue (ISIQ)| 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 \n \n\n\n## Remediation/Fixes\n\nDownload and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-04-07T16:23:23", "type": "ibm", "title": "Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-8331"], "modified": "2020-04-07T16:23:23", "id": "5102E26F5F9D162F10D7A53504320571C340046D1DC087AD20DBEB386B11F545", "href": "https://www.ibm.com/support/pages/node/6172563", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T05:58:55", "description": "## Summary\n\nIBM Business Process Manager and IBM Business Automation Workflow are affected by multiple security vulnerabilities found in Swagger UI.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '&lt;' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '&lt;' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| V19.0 \nV18.0 \nIBM Business Process Manager| V8.6 \nV8.5 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR [JR61747](<https://www.ibm.com/support/docview.wss?uid=swg1JR61747> \"JR61747\" ) as soon as practical:\n\n * [IBM Business Automation Workflow](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=aparId&apars=JR61747,JR62222>) (including fix for IBM Business Process Manager V8.6.0.0 2018.03)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR61747,JR62222>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR61747,JR62222>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR61747,JR62222>)\n\nNote that [JR61747](<https://www.ibm.com/support/docview.wss?uid=swg1JR61747> \"JR61747\" ) is superseded by [JR62222](<https://www.ibm.com/support/docview.wss?uid=swg1JR62222> \"JR62222\" ) addressing an issue with profile upgrade in case the ifix has been applied and is reapplied during upgrade to a newer version, which does not yet have the fix.\n\nFor IBM Business Automation Workflow V18.0 and V19.0 \n\u00b7 Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix [JR61747](<https://www.ibm.com/support/docview.wss?uid=swg1JR61747> \"JR61747\" ) \n\\--OR-- \n\u00b7 Apply cumulative fix Business Automation Workflow V20.0.0.1 \n \nFor IBM Business Process Manager V8.6 \n\u00b7 Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix [JR61747](<https://www.ibm.com/support/docview.wss?uid=swg1JR61747> \"JR61747\" ) \n\\--OR-- \n\u00b7 Upgrade to Business Automation Workflow V20.0.0.1 \n \nFor IBM BPM V8.5 \n\u00b7 Upgrade to IBM BPM V8.5.7, apply [Cumulative Fix 2017.06](<http://www.ibm.com/support/docview.wss?uid=swg24043591>) and then apply iFix [JR61747](<https://www.ibm.com/support/docview.wss?uid=swg1JR61747> \"JR61747\" ) \n\\--OR-- \n\u00b7 Upgrade to Business Automation Workflow V20.0.0.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-09-14T15:28:14", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-9251", "CVE-2019-11358"], "modified": "2022-09-14T15:28:14", "id": "6227E56DAD73769F0362D834B90EB9B1D9A60C3227B1A4516F314052662E33C8", "href": "https://www.ibm.com/support/pages/node/6113428", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T06:02:09", "description": "## Summary\n\nMultiple cross-site scripting vulnerabilities in JQuery used by IBM InfoSphere Information Server were addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server| 11.7 \n \n## Remediation/Fixes\n\n## \n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nInfoSphere Information Server, InfoSphere Information Server on Cloud| 11.7| [DT134319](<https://www.ibm.com/mysupport/aCI3p000000PW4K> \"DT134319\" )| \\--Apply IBM InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/pages/node/878310>) \n\\--Apply IBM InfoSphere Information Server version [11.7.1.3](<https://www.ibm.com/support/pages/node/6498109> \"11.7.1.3\" ) \n\\--Apply Information Server [11.7.1.3 Service pack 4](<https://www.ibm.com/support/pages/node/6568469> \"11.7.1.3 Service pack 4\" ) \n\\--Apply DataStage Flow Design [Security patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FIBM+InfoSphere+Information+Server&fixids=is11713_Security_JR64903_DFD> \"Security patch\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-07-19T03:29:58", "type": "ibm", "title": "Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2022-07-19T03:29:58", "id": "B609D685D630C87BB458CB89A66B87A64831A7617912F7856869B7F1B264C40C", "href": "https://www.ibm.com/support/pages/node/6603057", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-24T01:43:07", "description": "## Summary\n\nIBM API Connect has addressed the following vulnerability. \n\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-10911](<https://vulners.com/cve/CVE-2019-10911>) \n**DESCRIPTION: **Drupal core could allow a remote attacker to bypass security restrictions, caused by a flaw in the cookie management. By using a specially-crafted cookie, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159639> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID: **[CVE-2019-10910](<https://vulners.com/cve/CVE-2019-10910>) \n**DESCRIPTION: **Drupal core could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of user-supplied input. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159638> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID: **[CVE-2019-10909](<https://vulners.com/cve/CVE-2019-10909>) \n**DESCRIPTION: **Drupal core is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the PHP templating engine. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159637> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n**DESCRIPTION: **Drupal core is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159633> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM API Connect | v2018.1-2018.4.1.4 \n---|--- \nIBM API Connect | v5.0.0.0-5.0.8.6 \n \n## Remediation/Fixes\n\nAffected Product | Addressed in VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nIBM API Connect \n\nV2018.1-2018.4.1.4\n\n| 2018.4.1.5 | LI80880 | \n\nAddressed in IBM API Connect v2018.4.1.5 fixpack.\n\nDeveloper Portal is impacted.\n\nFollow this link and find the \"portal\" package appropriate for the form factor of your installation:** **\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=2018.4.1.4&amp;platform=All&amp;function=all&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.4&platform=All&function=all&source=fc>) \n \nIBM API Connect \n\nV5.0.0.0-5.0.8.6\n\n| 5.0.8.6 iFix | \n\nLI80880\n\n| \n\nAddressed in IBM API Connect 5.0.8.6 iFix.\n\nFollow this link and find the portal package suitable for the form factor of your installation.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=5.0.8.5&amp;platform=All&amp;function=fixId&amp;fixids=5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319.ova%3A67094276418854,5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319%3A67094276418854&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.5&platform=All&function=fixId&fixids=5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319.ova%3A67094276418854,5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319%3A67094276418854&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-31T13:40:01", "type": "ibm", "title": "Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in Drupal core (CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-11358)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-11358"], "modified": "2019-05-31T13:40:01", "id": "E51AD2501331015E7E19A3AC49A96E1AC1A7C291EEE9E468031B3BA17AE28285", "href": "https://www.ibm.com/support/pages/node/882578", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:50:39", "description": "## Summary\n\nMultiple vulnerabilities (CVE-2015-9251; CVE-2019-11358; CVE-2020-11022; CVE-2020-11023) found in jQuery that is present in IBM Tivoli Network Manager (ITNM) IP Edition. jQuery versions before 3.0.0 are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. The fix contains the remediation of this component in ITNM.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2 GA through to 4.2.0.15 \n \n\n\n## Remediation/Fixes\n\nThe issue has been Fixed in ITNM 4.2 Fix Pack 16 (i.e. 4.2.0.16). Upgrade ITNM 4.2 to Fix Pack 16 from Fix Central. \n\n[4.2.0-TIV-ITNMIP-Linux-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-Linux-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n[4.2.0-TIV-ITNMIP-zLinux-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-zLinux-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n[4.2.0-TIV-ITNMIP-AIX-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-AIX-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-01-05T15:14:50", "type": "ibm", "title": "Security Bulletin: jQuery included in ITNM is vulnerable to Cross-site Scripting (XSS) attacks (multiple vulnerabilities)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2023-01-05T15:14:50", "id": "DAFB6976639A3A0CD92E6E7C328A7D79DE7ABB5427325AE9867BF17CA6FD2D68", "href": "https://www.ibm.com/support/pages/node/6852773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T22:54:36", "description": "## Summary\n\nThere are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MobileFirst Foundation| 8.0.0.0 \n \n\n\n## Remediation/Fixes\n\n**Product(s)**| **Version Number(s) and/or range**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM MobileFirst Platform Foundation| 8.0.0.0| iFix build 8.0.0.0-MFPF-IF202304111626 build includes fixes to resolve vulnerable third party libraries(PH53904). \n\nPlease download from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FOther%20software&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=All&platform=All&function=fixId&fixids=8.0.0.0-MFPF-IF202304111626&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=dbluesearch&mhsrc=ibmsearch_a&mhq=IF202304111626&login=true>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-04-19T17:26:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2023-04-19T17:26:48", "id": "C247CDADCEBD86F6926A5A03AD862F20EC878D5E1054BCF2C6B70778E3741BB7", "href": "https://www.ibm.com/support/pages/node/6984763", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T05:48:05", "description": "## Summary\n\nThere are multiple vulnerabilities in JQuery that could allow an attacker to launch cross-site scripting. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Products/Versions guidance:**\n\n**Affected Product(s)**| **Version(s) \n** \n---|--- \nIBM Process Mining| 1.12.0.3 \n| \n \n## Remediation/Fixes\n\n**Remediation/Fixes guidance**:\n\n**Product(s)**| **Version(s) number and/or range **| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Process Mining| 1.12.0.3| \n\n**Upgrade to version 1.12.0.4** \n \n1.Login to [PassPortAdvantage](<https://www-112.ibm.com/software/howtobuy/passportadvantage/homepage/paocustomer> \"PassPortAdvantage\" ) \n \n2\\. Search for \n**M05JKML** Process Mining 1.12.0.4 Server Multiplatform Multilingual \n \n3\\. Download package\n\n4\\. Follow install instructions \n \n5\\. Repeat for **M05JJML** Process Mining 1.12.0.4 Client Windows Multilingual \n \n| | \n \n## Workarounds and Mitigations\n\n**Workarounds/Mitigation guidance**:\n\nNone known\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-02-01T21:57:35", "type": "ibm", "title": "Security Bulletin: Vulnerability in jQuery affects IBM Process Mining (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2023-02-01T21:57:35", "id": "6BC9040B51F3B0282E132873A0D807E58D8450D20237A38329B62B37AB7F1BD6", "href": "https://www.ibm.com/support/pages/node/6574037", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T05:58:53", "description": "## Summary\n\nSecurity vulnerabilities have been reported for Dojo and jQuery version shipped with IBM Business Automation Workflow and IBM BPM.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-15494](<https://vulners.com/cve/CVE-2018-15494>) \n** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2011-4969](<https://vulners.com/cve/CVE-2011-4969>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the \"location.hash\" property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/82875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/82875>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| V19.0 \nV18.0 \nIBM Business Process Manager| V8.6 \nV8.5 \nV8.0 \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nInstall interim fixes [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ), [JR61948](<http://www.ibm.com/support/docview.wss?uid=swg1JR61948> \"JR61948\" ),and [JR61957](<http://www.ibm.com/support/docview.wss?uid=swg1JR61957> \"JR61957\" ) as appropriate for your current IBM Business Automation Workflow or IBM BPM version.\n\nNote that [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ) is superseded by [JR62228](<http://www.ibm.com/support/docview.wss?uid=swg1JR62228> \"JR62228\" ) addressing an issue with profile upgrade in case the ifix has been applied and is reapplied during upgrade to a newer version, which does not yet include the fix.\n\n * [IBM Business Automation Workflow](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=aparId&apars=JR61922,JR61948,JR61957>)\n * [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR61922,JR61948,JR61957>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR61922,JR61948,JR61957>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR61922,JR61948,JR61957>)\n\n**For IBM Business Automation Workflow V18.0 and V19.0** \n\u00b7 Upgrade to at least IBM Business Automation Workflow V19.0.0.2 as required by iFixes and then apply iFixes [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ), [JR61948](<http://www.ibm.com/support/docview.wss?uid=swg1JR61948> \"JR61948\" ),and [JR61957](<http://www.ibm.com/support/docview.wss?uid=swg1JR61957> \"JR61957\" ) \n\\--OR-- \n**\u00b7** Apply cumulative fix IBM Business Automation Workflow V20.0.0.1 (planned for end of Q2 2020) \n \n**For IBM BPM V8.6** \n\u00b7 Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFixes and then apply iFixes [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ), [JR61948](<http://www.ibm.com/support/docview.wss?uid=swg1JR61948> \"JR61948\" ),and [JR61957](<http://www.ibm.com/support/docview.wss?uid=swg1JR61957> \"JR61957\" ) \n \n**For IBM BPM V8.5 \n**\u00b7 Upgrade to IBM BPM V8.5.7, apply [Cumulative Fix 2017.06](<http://www.ibm.com/support/docview.wss?uid=swg24043591>) and then apply iFixes [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ), [JR61948](<http://www.ibm.com/support/docview.wss?uid=swg1JR61948> \"JR61948\" ),and [JR61957](<http://www.ibm.com/support/docview.wss?uid=swg1JR61957> \"JR61957\" ) (Versions prior to 8.5.5 are not affected by the vulnerability fixed by [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" )) \n \n**For IBM BPM V8.0** \n\u00b7 Upgrade to minimal [Refresh Pack 1](<http://www-01.ibm.com/support/docview.wss?uid=swg24033777>), install [Fix Pack 3](<http://www-01.ibm.com/support/docview.wss?uid=swg24037734>) as required by iFixes and then apply iFixes [JR61948](<http://www.ibm.com/support/docview.wss?uid=swg1JR61948> \"JR61948\" ),and [JR61957](<http://www.ibm.com/support/docview.wss?uid=swg1JR61957> \"JR61957\" ) (V8.0 is not affected by the vulnerability fixed by [JR61922](<http://www.ibm.com/support/docview.wss?uid=swg1JR61922> \"JR61922\" ))\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T15:28:14", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4969", "CVE-2012-6708", "CVE-2018-15494", "CVE-2019-11358"], "modified": "2022-09-14T15:28:14", "id": "2955FD677307C59BC4E381D8CA0275D629803259C2176CE4E845D6B42BA2E178", "href": "https://www.ibm.com/support/pages/node/6155493", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:47:57", "description": "## Summary\n\nMultiple vulnerabilities identified in IBM Security Verify Privilege Manager previously known as IBM Security Privilege Manager have been addressed in the release 10.8.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID**: [CVE-2020-4842](<https://vulners.com/cve/CVE-2020-4842>) \n**DESCRIPTION**: IBM Security Secret Server could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. \nCVSS Base Score: 2.7 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/190046> for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID**: [CVE-2020-4841](<https://vulners.com/cve/CVE-2020-4841>) \n**DESCRIPTION**: IBM Security Secret Server could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/190045> for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2020-4740](<https://vulners.com/cve/CVE-2020-4740>) \n**DESCRIPTION**: IBM Security Secret Server could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/190044> for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAll versions of IBM Security Privilege Manager prior to 10.8\n\n## Remediation/Fixes\n\nUpgrade to the latest release available [here](<http://www.ibm.com/support/pages/node/6324645> \"here\" ).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-16T21:27:29", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Manager previously known as IBM Security Privilege Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-4740", "CVE-2020-4841", "CVE-2020-4842"], "modified": "2020-12-16T21:27:29", "id": "57AE760DFB50538BE1F8A0AE6498718A547B70C0FEC4480282AF8A01140729ED", "href": "https://www.ibm.com/support/pages/node/6336251", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T05:54:17", "description": "## Summary\n\nA vulnerable version of JQuery was used by API Connect. The fix includes updated JQuery which addresses CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nAPI Connect| V10.0.0.0 - V10.0.5.0 \nAPI Connect| V10.0.1.0 - V10.0.1.7 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\n**Affected Product**| **Addressed in VRMF**| **Remediation / Fix** \n---|---|--- \nIBM API Connect V10.0.0.0 - V10.0.5.0| V10.0.5.1| \n\nAddressed in IBM API Connect V10.0.5.1\n\nThe UI component is impacted.\n\nFollow this link and find the appropriate package.\n\n<https://www.ibm.com/support/pages/node/6607906> \n \nIBM API Connect V10.0.1.0 - V10.0.1.7 \n| V10.0.1.8| \n\nAddressed in IBM API Connect V10.0.1.8\n\nThe UI component is impacted.\n\nFollow this link and find the appropriate package.\n\n<https://www.ibm.com/support/pages/node/6607673> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-10-21T22:10:10", "type": "ibm", "title": "Security Bulletin: API Connect is vulnerable to JQuery Cross-Site Scripting (XSS) and other vulnerabilities (CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2022-10-21T22:10:10", "id": "FD89F92B8829CE7392B47C0ED84C6AFC3595DB7DDA24639A8AB325F2C83DE0D3", "href": "https://www.ibm.com/support/pages/node/6831351", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T23:09:32", "description": "## Summary\n\nMultiple vulnerabilities in Dojo toolkit and jQuery version shipped with IBM WebSphere eXtreme Scale Liberty Deployment \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-7656](<https://vulners.com/cve/CVE-2020-7656>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182264>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-15494](<https://vulners.com/cve/CVE-2018-15494>) \n** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Extreme Scale| 8.6.1.0 - 8.6.1.5 \n \n\n\n## Remediation/Fixes\n\nProduct| Version(s)| \n\nAPAR\n\n| \n\nRemediation/First Fix \n \n---|---|---|--- \nIBM WebSphere eXtreme Scale Liberty Deployment| 8.6.1.0 - 8.6.1.5| PH53340| \n\nFor older versions, upgrade to latest fixpack 8.6.1.5 and then apply the PH53340 iFix. If you are using 8.6.1.5 directly apply the PH53340 iFix.\n\n[Recommended Fixes page for WebSphere eXtreme Scale](<http://www.ibm.com/support/docview.wss?uid=swg27018991>) \n \n## Workarounds and Mitigations\n\nNone, iFix PH53340 must be applied to correct the problem. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-21T18:07:40", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-9251", "CVE-2018-15494", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-7656"], "modified": "2023-03-21T18:07:40", "id": "1409CD05A45669BF88F7CEAB610D65B1F84FD0522659550C3AD802B5214CCF7A", "href": "https://www.ibm.com/support/pages/node/6964844", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-07T22:53:44", "description": "## Summary\n\nThere are vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 which affects IBM Engineering Workflow Management (EWM).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nEWM| 7.0.2 \nEWM| 7.0.1 \n \n\n\n## Remediation/Fixes\n\n**Upgrade to version 7.0.2 iFix021 or later**\n\n[IBM Engineering Lifecycle Management 7.0.2 iFix021](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"\" )\n\n[IBM Engineering Workflow Management 7.0.2 iFix021](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.2&platform=All&function=all> \"\" )\n\n**Upgrade to version 7.0.1 iFix021 or later**\n\n[IBM Engineering Lifecycle Management 7.0.1 iFix021](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"\" )\n\n[IBM Engineering Workflow Management 7.0.1 iFix021](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.1&platform=All&function=all> \"\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-04-24T15:03:41", "type": "ibm", "title": "Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-28500", "CVE-2020-8203", "CVE-2021-23337"], "modified": "2023-04-24T15:03:41", "id": "EDBB640D9C964C319A40ED15C23232FA8D49C6B495D6EF19F248B4A314B7651D", "href": "https://www.ibm.com/support/pages/node/6985613", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-07T23:11:32", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed the security vulnerabilities in jQuery.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-41182](<https://vulners.com/cve/CVE-2021-41182>) \n** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the altField parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212274](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212274>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-41183](<https://vulners.com/cve/CVE-2021-41183>) \n** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the Text parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212276](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212276>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-41184](<https://vulners.com/cve/CVE-2021-41184>) \n** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212277](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212277>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2022-31160](<https://vulners.com/cve/CVE-2022-31160>) \n** DESCRIPTION: **jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the check-box-radio widget. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/231462](<https://exchange.xforce.ibmcloud.com/vulnerabilities/231462>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.7 \nIBM Sterling B2B Integrator| 6.1.0.0 - 6.1.2.1 \n \n\n\n## Remediation/Fixes\n\n**Product \n** | **Version**| **APAR**| **Remediation &amp; Fix** \n---|---|---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.7| IT42890| Apply 6.0.3.8 \nIBM Sterling B2B Integrator| 6.1.0.0 - 6.1.2.1| IT42890| Apply 6.1.2.2 \n \nThe IIM versions of 6.0.3.8 and 6.1.2.2 are available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>). \n\nThe container version of 6.1.2.2 is available in IBM Entitled Registry with following tags. \n\n * cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.2 for IBM Sterling B2B Integrator\n * cp.icr.io/cp/ibm-sfg/sfg:6.1.2.2 for IBM Sterling File Gateway\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2023-03-13T16:37:51", "type": "ibm", "title": "Security Bulletin: EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2022-31160"], "modified": "2023-03-13T16:37:51", "id": "B673694C2888EE95A6BAB04A5C155DEAA18A41E4DF0C4AE45D1C5C2E3FD7151D", "href": "https://www.ibm.com/support/pages/node/6963091", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-09-09T10:54:35", "description": "## Summary\n\nMultiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2016-3012](<https://vulners.com/cve/CVE-2016-3012>) \n** DESCRIPTION: **IBM API Connect server credentials used for a specific restricted scenario may have been exposed in the toolkit. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114275](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114275>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2018-1838](<https://vulners.com/cve/CVE-2018-1838>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/150811](<https://exchange.xforce.ibmcloud.com/vulnerabilities/150811>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2015-5041](<https://vulners.com/cve/CVE-2015-5041>) \n** DESCRIPTION: **A flaw in the IBM J9 JVM allows code to invoke non-public interface methods under these circumstances. Untrusted code could potentially exploit this. This could lead to sensitive data being exposed to an attacker, or the attacker being able to inject bad data. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106719](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106719>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Directory Server| 6.4.0 \nIBM Security Directory Suite VA| 8.0.1 \nIBM Security Verify Directory| 10.0.0 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends that customers update their products at the earliest convenience.**\n\nIBM Security Verify Directory Container:\n\ndocker pull icr.io/isvd/verify-directory-server:10.0.0.0 latest\n\ndocker pull icr.io/isvd/verify-directory-proxy:10.0.0.0 latest\n\ndocker pull icr.io/isvd/verify-directory-seed:10.0.0.0 latest\n\nAffected Products and Versions| Fix Availability \n---|--- \nIBM Security Directory Server 6.4.0| [interim fix: 6.4.0.27-ISS-ISDS-IF0027](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Directory+Server&release=6.4.0.27&platform=All&function=fixId&fixids=6.4.0.27-ISS-ISDS-WinX64-IF0027&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true>) \nIBM Security Directory Suite VA 8.0.1| [8.0.1.19-ISS-ISDS_20230118-0304](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Directory+Suite&release=8.0.1.18&platform=All&function=fixId&fixids=8.0.1.19-ISS-ISDS_20230118-0304.pkg&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-05-23T15:08:47", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-5041", "CVE-2015-9251", "CVE-2016-3012", "CVE-2018-1838", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2023-05-23T15:08:47", "id": "93FB43619692E9A4D81819FDEE2EC14BE9B5E62B4E287FD49E3F7D0FE31D653A", "href": "https://www.ibm.com/support/pages/node/6997593", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-27T21:53:26", "description": "## Summary\n\nBigFix Platform is shipped with IBM License Metric Tool. Information about a security vulnerability affecting BigFix Platform has been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2012-5883](<https://vulners.com/cve/CVE-2012-5883>) \n** DESCRIPTION: **Bugzilla is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure in YUI script. A remote attacker could exploit this vulnerability using attack vectors related to swfstore.swf to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80116](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80116>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-5882](<https://vulners.com/cve/CVE-2012-5882>) \n** DESCRIPTION: **The YUI library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using attack vectors related to uploader.swf to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80117](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80117>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-5881](<https://vulners.com/cve/CVE-2012-5881>) \n** DESCRIPTION: **The YUI library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using attack vectors related to charts.swf to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80118](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80118>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-4710](<https://vulners.com/cve/CVE-2010-4710>) \n** DESCRIPTION: **YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the addItem method in the Menu widget. A remote attacker could exploit this vulnerability using a field that is added to a menu to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/65180](<https://exchange.xforce.ibmcloud.com/vulnerabilities/65180>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-4207](<https://vulners.com/cve/CVE-2010-4207>) \n** DESCRIPTION: **YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the charts.swf, uploader.swf and swfstore.swf scripts. A remote attacker could exploit this vulnerability using an unspecified parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/62769](<https://exchange.xforce.ibmcloud.com/vulnerabilities/62769>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-4208](<https://vulners.com/cve/CVE-2010-4208>) \n** DESCRIPTION: **YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Flash component infrastructure. A remote attacker could exploit this vulnerability using unknown attack vectors related to uploader.swf to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/63085](<https://exchange.xforce.ibmcloud.com/vulnerabilities/63085>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-6908](<https://vulners.com/cve/CVE-2015-6908>) \n** DESCRIPTION: **OpenLDAP is vulnerable to a denial of service, caused by an assertion error in the ber_get_next() function. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the slapd service to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106296](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106296>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM License Metric Tool| All \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by BigFix Platform: \n\n[https://support.hcltechsw.com/csm?id=kb_article&amp;sysparm_article=KB0080774](<https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080774>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-07-24T08:16:46", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4207", "CVE-2010-4208", "CVE-2010-4710", "CVE-2012-5881", "CVE-2012-5882", "CVE-2012-5883", "CVE-2015-6908", "CVE-2019-11358"], "modified": "2020-07-24T08:16:46", "id": "0251DBCB96D0ED10DA628D06B0978F8DE5AB5BDFE82E017184802BFCC0709826", "href": "https://www.ibm.com/support/pages/node/6252755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-07T22:07:05", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8908](<https://vulners.com/cve/CVE-2020-8908>) \n** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11987](<https://vulners.com/cve/CVE-2020-11987>) \n** DESCRIPTION: **Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197372](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197372>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13954](<https://vulners.com/cve/CVE-2020-13954>) \n** DESCRIPTION: **Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191650](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191650>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim&amp;#39;s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-28657](<https://vulners.com/cve/CVE-2021-28657>) \n** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by an infinite loop flaw in the MP3 parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199112](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199112>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8\n\nIBM QRadar SIEM 7.4.0 to 7.4.3 GA\n\n \n\n\n \n\n\n## Remediation/Fixes\n\n[QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 9](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20210716155826&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=SAR> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 9\" )\n\n[QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.3-QRADAR-QRSIEM-20210708143944&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp> \"QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 1\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-07-23T13:09:43", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11987", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-8908", "CVE-2021-28657"], "modified": "2021-07-23T13:09:43", "id": "7673ECA7C26C82F326589C66582D68F7F87357B4FB250AD73DE7E7F5EC924344", "href": "https://www.ibm.com/support/pages/node/6474843", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-27T21:50:55", "description": "## Summary\n\nIBM Security Identity Manager Virtual Appliance (ISIM VA) has addressed the following vulnerabilities\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) \n** DESCRIPTION: **Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90987>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) \n** DESCRIPTION: **Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117957](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117957>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2010-5312](<https://vulners.com/cve/CVE-2010-5312>) \n** DESCRIPTION: **jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the title parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/98696](<https://exchange.xforce.ibmcloud.com/vulnerabilities/98696>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-7103](<https://vulners.com/cve/CVE-2016-7103>) \n** DESCRIPTION: **jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dialog function. A remote attacker could exploit this vulnerability using the 'closeText' parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/119601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2011-4969](<https://vulners.com/cve/CVE-2011-4969>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the \"location.hash\" property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/82875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/82875>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nISIM VA| 7.0.2 \nISIM VA| 7.0.1 \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRMF**| **Remediation** \n---|---|--- \n \nIBM Security Identity Manager Virtual Appliance\n\n| \n\n7.0.2\n\n| \n\n[7.0.2-ISS-SIM-FP0002](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=7.0.2-ISS-SIM-FP0002&source=SARASA> \"7.0.2-ISS-SIM-FP0002\" ) \n \nIBM Security Identity Manager Virtual Appliance\n\n| \n\n7.0.1\n\n| \n\n[7.0.1-ISS-SIM-FP0014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=7.0.1-ISS-SIM-FP0014&source=SAR> \"7.0.1-ISS-SIM-FP0014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-15T15:22:21", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-5312", "CVE-2011-4969", "CVE-2012-6708", "CVE-2014-0050", "CVE-2015-9251", "CVE-2016-1000031", "CVE-2016-3092", "CVE-2016-7103", "CVE-2019-11358"], "modified": "2020-09-15T15:22:21", "id": "9ED959A552F1F1135D021720BFEF601A33E4FF298A735DCF0648EF0558E731A9", "href": "https://www.ibm.com/support/pages/node/6333027", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-27T21:50:42", "description": "## Summary\n\nMultiple vulnerabilities identified in IBM Security Verify Privilege Vault previously known as IBM Security Secret Server have been addressed in the release 10.9.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4324](<https://vulners.com/cve/CVE-2020-4324>) \n** DESCRIPTION: **IBM Security Secret Server could allow a remote attacker to bypass security restrictions, caused by improper input validation. \nCVSS Base score: 3.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177515](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177515>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-14862](<https://vulners.com/cve/CVE-2019-14862>) \n** DESCRIPTION: **Knockout is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2009-0385](<https://vulners.com/cve/CVE-2009-0385>) \n** DESCRIPTION: **FFmpeg could allow a remote attacker to execute arbitrary code on the system, caused by an integer signedness error in the fourxm_read_header() function in libavformat/4xm.c. By persuading a victim to open a specially-crafted 4X movie file with a large current_track value, a remote attacker could exploit this vulnerability to corrupt memory, trigger a NULL pointer dereference and execute arbitrary code on the system. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/48330](<https://exchange.xforce.ibmcloud.com/vulnerabilities/48330>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14040](<https://vulners.com/cve/CVE-2018-14040>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146468](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146468>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14041](<https://vulners.com/cve/CVE-2018-14041>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146467](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146467>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14042](<https://vulners.com/cve/CVE-2018-14042>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146466](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146466>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4340](<https://vulners.com/cve/CVE-2020-4340>) \n** DESCRIPTION: **IBM Security Secret Server could allow an attacker to bypass SSL security due to improper certificate validation. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178180](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178180>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAll versions of IBM Security Secret Server prior to 10.9\n\n \n\n\n## Remediation/Fixes\n\nUpgrade to the latest release available [here](<http://www.ibm.com/support/pages/node/6324645> \"here\" ).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-23T05:03:22", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault previously known as IBM Security Secret Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0385", "CVE-2015-9251", "CVE-2018-14040", "CVE-2018-14041", "CVE-2018-14042", "CVE-2019-11358", "CVE-2019-14862", "CVE-2019-8331", "CVE-2020-4324", "CVE-2020-4340"], "modified": "2020-09-23T05:03:22", "id": "D63678498B94CE4636F5CEB8FAB7C8F6F571F578E6D0EF1B23F011C3A5778E9E", "href": "https://www.ibm.com/support/pages/node/6336361", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T22:07:09", "description": "## Summary\n\nThere are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Requirements Quality Assistant On-Premises, IBM Engineering Lifecycle Optimization - Publishing.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-23926](<https://vulners.com/cve/CVE-2021-23926>) \n** DESCRIPTION: **Apache XMLBeans is vulnerable to a denial of service, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML request, a remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194818](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194818>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2019-17195](<https://vulners.com/cve/CVE-2019-17195>) \n** DESCRIPTION: **Connect2id Nimbus JOSE&amp;#43;JWT is vulnerable to a denial of service, caused by the throwing of various uncaught exceptions while parsing a JWT. An attacker could exploit this vulnerability to crash the application or obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim&amp;#39;s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-2242](<https://vulners.com/cve/CVE-2021-2242>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Oracle Outside In Technology component could allow an attacker to cause low confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200368](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200368>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) \n \n** CVEID: **[CVE-2021-2240](<https://vulners.com/cve/CVE-2021-2240>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Oracle Outside In Technology component could allow an attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200366](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200366>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-27842](<https://vulners.com/cve/CVE-2020-27842>) \n** DESCRIPTION: **OpenJPEG is vulnerable to a denial of service, caused by a NULL pointer dereference in lib/openjp2/tgt.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194428](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194428>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-20227](<https://vulners.com/cve/CVE-2021-20227>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a use-after-free flaw in the SELECT query function in src/select.c. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition or possibly execute arbitrary code on the system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198960](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198960>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-20507](<https://vulners.com/cve/CVE-2021-20507>) \n** DESCRIPTION: **IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198235](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198235>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-20305](<https://vulners.com/cve/CVE-2021-20305>) \n** DESCRIPTION: **Nettle could allow a remote attacker to bypass security restrictions, caused by a flaw related to several signature verification functions result in the Elliptic Curve Cryptography point (ECC) multiply function being invoked with out-of-range scalers. An attacker could exploit this vulnerability to force an invalid signature, causing an assertion failure or possible validation. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199653](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199653>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** Third Party Entry: **193738 \n** DESCRIPTION: **IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/193738 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193738>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nPUB| 7.0.1 \nPUB| 7.0.2 \nPUB| 7.0 \nIBM Engineering Requirements Quality Assistant On-Premises| All \nDOORS Next| 7.0.2 \nDOORS Next| 7.0 \nDOORS Next| 7.0.1 \nCLM| 6.0.6.1 \nCLM| 6.0.6 \nELM| 7.0.2 \nELM| 7.0 \nELM| 7.0.1 \nEWM| 7.0.2 \nEWM| 7.0.1 \nRTC| 6.0.6.1 \nEWM| 7.0 \nRTC| 6.0.6 \n \n\n\n## Remediation/Fixes\n\nFor the 6.0.6 - 7.0.2 releases: \n\nUpgrade to version 7.0.2 iFix005 or later\n\n * [IBM Engineering Lifecycle Management 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Test Management 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Workflow Management 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.2&platform=All&function=all> \"\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n\nUpgrade to version 7.0.1 iFix010 or later\n\n * [IBM Engineering Lifecycle Management 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0.1&platform=All&function=all> \"\" )\n * [IBM Engineering Test Management 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0.1&platform=All&function=all> \"IBM Engineering Test Management 7.0 iFix003\" )\n * [IBM Engineering Workflow Management 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.1&platform=All&function=all> \"IBM Engineering Workflow Management 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n\nUpgrade to version 7.0 iFix010 or later\n\n * [IBM Engineering Lifecycle Management 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"IBM Engineering Lifecycle Management 7.0 iFix003\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0&platform=All&function=all> \"IBM Engineering Requirements Management DOORS Next 7.0 iFix003\" )\n * [IBM Engineering Test Management 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0&platform=All&function=all> \"IBM Engineering Test Management 7.0 iFix003\" )\n * [IBM Engineering Workflow Management 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0&platform=All&function=all> \"IBM Engineering Workflow Management 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n 1. \n\n\nUpgrade to version 6.0.6.1 iFix018 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6.1&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6.1&platform=All&function=all>)\n * [Rational Team Concert 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6.1&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Publishing Engine:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix018](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n\n \n\n\nUpgrade to version 6.0.6 iFix022 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6&platform=All&function=all>)\n * [Rational Team Concert 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Publishing Engine:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix022](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n\n \n\n\nFor IBM Engineering Requirements Quality Assistant On-Premises:\n\n * Please follow the [RQA Upgrade](<https://www.ibm.com/support/knowledgecenter/SS3UPN/com.ibm.help.rm.assist.doc/topics/c_rqa_upgrade_node.html>) instructions.\n\n \nFor any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nIf the iFix is not found in the Fix Portal please contact IBM Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T17:54:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2019-17195", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-27842", "CVE-2021-20227", "CVE-2021-20305", "CVE-2021-20507", "CVE-2021-2240", "CVE-2021-2242", "CVE-2021-23926"], "modified": "2021-07-16T17:54:43", "id": "7E1CB2FDA212C7A8FC0CCD8803720285F00C1F62F3E2628C7217A85BFA5FFBC8", "href": "https://www.ibm.com/support/pages/node/6473141", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-26T23:09:31", "description": "## Summary\n\nMultiple vulnerabilities in JQuery, Node.js and Swagger UI used by InfoSphere Information Server were addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-23358](<https://vulners.com/cve/CVE-2021-23358>) \n** DESCRIPTION: **Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198958](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198958>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-7656](<https://vulners.com/cve/CVE-2020-7656>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182264>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-25031](<https://vulners.com/cve/CVE-2018-25031>) \n** DESCRIPTION: **swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217346](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217346>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-1000229](<https://vulners.com/cve/CVE-2016-1000229>) \n** DESCRIPTION: **Swagger UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124591](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124591>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-1000233](<https://vulners.com/cve/CVE-2016-1000233>) \n** DESCRIPTION: **Swagger-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when a Content-Type: application/javascript header is included. A remote attacker could exploit this vulnerability using the url query string parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219754](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219754>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-23383](<https://vulners.com/cve/CVE-2021-23383>) \n** DESCRIPTION: **handlebars could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution when selecting certain compiling options to compile templates coming from an untrusted source. By sending a a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-8861](<https://vulners.com/cve/CVE-2015-8861>) \n** DESCRIPTION: **Node.js handlebars module could allow a remote attacker to execute arbitrary code on the system, caused by the failure to use quotes around attributes in handlebar templates. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112576](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112576>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-19919](<https://vulners.com/cve/CVE-2019-19919>) \n** DESCRIPTION: **Node.js handlebars could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially crafted payload, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173388](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173388>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** IBM X-Force ID: **220715 \n** DESCRIPTION: **Swagger UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the \"Produces\" and \"consumes\" Content-types in schema. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220715 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220715>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** IBM X-Force ID: **222555 \n** DESCRIPTION: **Swagger UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the swagger.apiInfo.description value. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/222555 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222555>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** IBM X-Force ID: **220879 \n** DESCRIPTION: **Swagger UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html script tags. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220879 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220879>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** IBM X-Force ID: **221508 \n** DESCRIPTION: **Swagger UI could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the OpenAPI definitions. An attacker could exploit this vulnerability using the ?url parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/221508 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/221508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) \n \n** IBM X-Force ID: **222535 \n** DESCRIPTION: **Nodejs module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Templates. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/222535 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222535>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** IBM X-Force ID: **221058 \n** DESCRIPTION: **Node.js handlebars module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the template. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/221058 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/221058>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server| 11.7 \n \n## Remediation/Fixes\n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nInfoSphere Information Server, InfoSphere Information Server on Cloud| 11.7| [DT196107](<https://www.ibm.com/mysupport/aCI3p000000CocJ> \"DT196107\" )| \\--Apply IBM InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/pages/node/878310>) \n\\--Apply InfoSphere Information Server version [11.7.1.4](<https://www.ibm.com/support/pages/node/6620275> \"11.7.1.4\" ) \n\\--Apply InfoSphere Information Server [11.7.1.4 Service pack 1](<https://www.ibm.com/support/pages/node/6989459> \"11.7.1.4 Service pack 1\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T19:40:16", "type": "ibm", "title": "Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in JQuery, Node.js and Swagger UI", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-8861", "CVE-2015-9251", "CVE-2016-1000229", "CVE-2016-1000233", "CVE-2018-25031", "CVE-2019-11358", "CVE-2019-19919", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-7656", "CVE-2021-23358", "CVE-2021-23383"], "modified": "2023-05-17T19:40:16", "id": "20372756D0D4D41E4530AE121905256C2AF155E987D21A7B2CC7D85274A6AE1D", "href": "https://www.ibm.com/support/pages/node/6988629", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:14:03", "description": "## Summary\n\nThe Planning Analytics Workspace component of IBM Planning Analytics is affected by vulnerabilities These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 69.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-23343](<https://vulners.com/cve/CVE-2021-23343>) \n** DESCRIPTION: **path-parse is vulnerable to a denial of service. By sending a specially-crafted request via splitDeviceRe, splitTailRe, and splitPathRe regular expressions, a remote attacker could exploit this vulnerability to cause a regular expression denial of service (ReDoS). \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201206](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201206>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-22931](<https://vulners.com/cve/CVE-2021-22931>) \n** DESCRIPTION: **Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-22939](<https://vulners.com/cve/CVE-2021-22939>) \n** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207233](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207233>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-28458](<https://vulners.com/cve/CVE-2020-28458>) \n** DESCRIPTION: **Node.js datatables.net module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193390](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193390>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-7774](<https://vulners.com/cve/CVE-2020-7774>) \n** DESCRIPTION: **Node.js y18n module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191999](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191999>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-7788](<https://vulners.com/cve/CVE-2020-7788>) \n** DESCRIPTION: **Node.js ini module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192931](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192931>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-23362](<https://vulners.com/cve/CVE-2021-23362>) \n** DESCRIPTION: **Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198792](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198792>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-27290](<https://vulners.com/cve/CVE-2021-27290>) \n** DESCRIPTION: **Node.js ssri module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw by the SRIs. By sending a specially-crafted regex string, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198144](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198144>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-32803](<https://vulners.com/cve/CVE-2021-32803>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing \"dot dot\" sequences (/../) to create or overwrite arbitrary files on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206717](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206717>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2021-32804](<https://vulners.com/cve/CVE-2021-32804>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing \"dot dot\" sequences (/../) to create or overwrite arbitrary files on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206719](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206719>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2021-20066](<https://vulners.com/cve/CVE-2021-20066>) \n** DESCRIPTION: **JSDom could allow a remote attacker to bypass security restrictions, caused by improperly allowing the loading of local resources. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to manipulate local files by a malicious web page. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197181](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197181>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-20526](<https://vulners.com/cve/CVE-2021-20526>) \n** DESCRIPTION: **IBM Planning Analytics could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198755>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** Third Party Entry: **207312 \n** DESCRIPTION: **Node.js helmet-csp module could allow a remote attacker to bypass security restrictions, caused by a Configuration Override affecting the application's Content Security Policy (CSP). The default-src CSP policy is deleted when the package's browser sniffs for Firefox. An attacker could exploit this vulnerability to remove an application's default CSP and possibly launch a Cross-Site Scripting attack on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/207312 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207312>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Planning Analytics 2.0\n\n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the most recent security update: \n\n\n[Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 69 from Fix Central. ](<https://www.ibm.com/support/pages/node/6498055> \"Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 69 from Fix Central.\" ) \n\n\nThis Security Bulletin is applicable to IBM Planning Analytics 2.0 (Local).\n\nThe vulnerability has been addressed on IBM Planning Analytics with Watson and no further action is required.\n\n \n\n\n \n\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T15:46:12", "type": "ibm", "title": "Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-28458", "CVE-2020-7774", "CVE-2020-7788", "CVE-2021-20066", "CVE-2021-20526", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-23343", "CVE-2021-23362", "CVE-2021-27290", "CVE-2021-32803", "CVE-2021-32804"], "modified": "2021-10-25T15:46:12", "id": "FC367D3847B3B18A075985BFC8A2A8898C7B9AFE3FE16A6F84968131CD5047B4", "href": "https://www.ibm.com/support/pages/node/6507095", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:07:46", "description": "## Summary\n\nMultiple security vulnerabilities in packages such as Apache Struts and Node.js affect WebSphere Service Registry and Repository. These have been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2017-18640](<https://vulners.com/cve/CVE-2017-18640>) \n** DESCRIPTION: **SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174331](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174331>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-15494](<https://vulners.com/cve/CVE-2018-15494>) \n** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-8854](<https://vulners.com/cve/CVE-2015-8854>) \n** DESCRIPTION: **The Node.js marked module is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this vulnerability using a regular expression to cause the application to hang. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112561](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112561>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-14863](<https://vulners.com/cve/CVE-2019-14863>) \n** DESCRIPTION: **Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173893](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173893>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-10531](<https://vulners.com/cve/CVE-2016-10531>) \n** DESCRIPTION: **Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149101](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149101>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2017-1000427](<https://vulners.com/cve/CVE-2017-1000427>) \n** DESCRIPTION: **Marked is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data: URI parser. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137243](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137243>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-3721](<https://vulners.com/cve/CVE-2018-3721>) \n** DESCRIPTION: **Node.js lodash module could allow a remote attacker to bypass security restrictions, caused by a flaw in the defaultsDeep, 'merge, and mergeWith functions. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/144603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Service Registry and Repository| 8.5.x \n \n\n\n## Remediation/Fixes\n\nFor all versions of WebSphere Service Registry and Repository: \n\n * Upgrade to [WebSphere Service Registry and Repository V8.5.6.3](<https://www.ibm.com/support/pages/node/6564391> \"WebSphere Service Registry and Repository V8.5.6.3\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-22T16:08:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2015-8854", "CVE-2015-9251", "CVE-2016-10531", "CVE-2017-1000427", "CVE-2017-18640", "CVE-2018-15494", "CVE-2018-3721", "CVE-2019-10086", "CVE-2019-11358", "CVE-2019-14863", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-7676"], "modified": "2022-03-22T16:08:59", "id": "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "href": "https://www.ibm.com/support/pages/node/6565389", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-09-27T03:23:18", "description": "## Summary\n\nThere are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-24998](<https://vulners.com/cve/CVE-2023-24998>) \n** DESCRIPTION: **Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247895](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247895>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-42003](<https://vulners.com/cve/CVE-2022-42003>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/237662](<https://exchange.xforce.ibmcloud.com/vulnerabilities/237662>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-42004](<https://vulners.com/cve/CVE-2022-42004>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/237660](<https://exchange.xforce.ibmcloud.com/vulnerabilities/237660>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-20677](<https://vulners.com/cve/CVE-2018-20677>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the affix configuration target property. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155337](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155337>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-20676](<https://vulners.com/cve/CVE-2018-20676>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155338](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155338>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14040](<https://vulners.com/cve/CVE-2018-14040>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146468](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146468>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-10735](<https://vulners.com/cve/CVE-2016-10735>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155339](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155339>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14042](<https://vulners.com/cve/CVE-2018-14042>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146466](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146466>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-15026](<https://vulners.com/cve/CVE-2016-15026>) \n** DESCRIPTION: **dd-plist could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files on the server. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247964>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-7656](<https://vulners.com/cve/CVE-2020-7656>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182264>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2012-6708](<https://vulners.com/cve/CVE-2012-6708>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-39208](<https://vulners.com/cve/CVE-2021-39208>) \n** DESCRIPTION: **SharpCompress could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw when WriteEntryToDirectory option is used. An attacker could send a specially-crafted archive file containing \"dot dot\" sequences (/../) to write arbitrary files on the system. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209539](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209539>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MobileFirst Foundation| 8.x.x \n \n\n\n## Remediation/Fixes\n\n**Product(s)**| **Version Number(s) and/or range**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM MobileFirst Platform Foundation| 8.0.0.0| iFix build 8.0.0.0-MFPF-IF202304111626 build includes fixes to resolve vulnerable third party libraries(PH53904). \n\nPlease download from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FOther%20software&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=All&platform=All&function=fixId&fixids=8.0.0.0-MFPF-IF202304111626&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=dbluesearch&mhsrc=ibmsearch_a&mhq=IF202304111626&login=true>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-19T04:25:08", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities found on thirdparty libraries used by IBM\u00ae MobileFirst Platform", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6708", "CVE-2015-9251", "CVE-2016-10735", "CVE-2016-15026", "CVE-2018-14040", "CVE-2018-14042", "CVE-2018-20676", "CVE-2018-20677", "CVE-2019-11358", "CVE-2019-8331", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-7656", "CVE-2021-39208", "CVE-2022-42003", "CVE-2022-42004", "CVE-2023-24998"], "modified": "2023-04-19T04:25:08", "id": "02208B95DC0377482AA2F9D9C05755BE90534C1B3F7475FC805AC14769FE9106", "href": "https://www.ibm.com/support/pages/node/6984699", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:27", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-21T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4434-1 (drupal7 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-21T00:00:00", "id": "OPENVAS:1361412562310704434", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704434", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704434\");\n script_version(\"2019-04-21T02:00:05+0000\");\n script_cve_id(\"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-04-21 02:00:05 +0000 (Sun, 21 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-21 02:00:05 +0000 (Sun, 21 Apr 2019)\");\n script_name(\"Debian Security Advisory DSA 4434-1 (drupal7 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4434.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4434-1\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-006\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the DSA-4434-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A cross-site scripting vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the linked upstream advisory.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u8.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u8\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:14", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-2a0ce0c58c", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-05-14T00:00:00", "id": "OPENVAS:1361412562310876327", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876327", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876327\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-09 02:13:18 +0000 (Thu, 09 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-2a0ce0c58c\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2a0ce0c58c\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'drupal7' package(s) announced via the FEDORA-2019-2a0ce0c58c advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features,\n Drupal is a Content Management System written in PHP that can support a variety\n of websites ranging from personal weblogs to large community-driven websites.\n Drupal is highly configurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.66~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:04", "description": "Drupal is prone to a cross-site scripting vulnerability in jQuery.", "cvss3": {}, "published": "2019-04-24T00:00:00", "type": "openvas", "title": "Drupal jQuery XSS Vulnerability (SA-CORE-2019-006) (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-24T00:00:00", "id": "OPENVAS:1361412562310142301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142301", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142301\");\n script_version(\"2019-04-24T09:29:51+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-24 09:29:51 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-24 09:25:05 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-11358\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal jQuery XSS Vulnerability (SA-CORE-2019-006) (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a cross-site scripting vulnerability in jQuery.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery 3.4.0 includes a fix for some unintended behavior when using\n jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it\n could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch\n previous jQuery versions.\");\n\n script_tag(name:\"affected\", value:\"Drupal 7, 8.5.x or earlier and 8.6.x.\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.66, 8.5.15, 8.6.15 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-006\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.65\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.66\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.5.14\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.15\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.6\", test_version2: \"8.6.14\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.6.15\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-29T14:54:53", "description": "Discourse is prone to multiple vulnerabilities in 3rdparty components.", "cvss3": {}, "published": "2019-06-17T00:00:00", "type": "openvas", "title": "Discourse < 2.3.0.beta9 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108601", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108601", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:discourse:discourse\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108601\");\n script_version(\"2019-08-28T13:27:25+0000\");\n script_cve_id(\"CVE-2019-11358\");\n script_tag(name:\"last_modification\", value:\"2019-08-28 13:27:25 +0000 (Wed, 28 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-17 06:03:35 +0000 (Mon, 17 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Discourse < 2.3.0.beta9 Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_discourse_detect.nasl\");\n script_mandatory_keys(\"discourse/detected\");\n\n script_tag(name:\"summary\", value:\"Discourse is prone to multiple vulnerabilities in 3rdparty components.\");\n\n script_tag(name:\"insight\", value:\"The following 3rdparty components have been updated to fix security issues:\n\n - Jquery CVE-2019-11358\n\n - Update nokogiri\n\n - Update Handlebars to 4.1\");\n\n script_tag(name:\"affected\", value:\"Discourse before version 2.3.0.beta9.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.3.0.beta9.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://meta.discourse.org/t/discourse-2-3-0-beta9-release-notes/115786\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\n\nif( version_is_less( version:vers, test_version:\"2.3.0\" ) ||\n version_in_range( version:vers, test_version:\"2.3.0.beta1\", test_version2:\"2.3.0.beta8\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.3.0.beta9\", install_path:infos[\"location\"] );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-26T16:54:39", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for otrs2 (DLA-2118-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-02-25T00:00:00", "id": "OPENVAS:1361412562310892118", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892118", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892118\");\n script_version(\"2020-02-25T04:00:05+0000\");\n script_cve_id(\"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-25 04:00:05 +0000 (Tue, 25 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 04:00:05 +0000 (Tue, 25 Feb 2020)\");\n script_name(\"Debian LTS: Security Advisory for otrs2 (DLA-2118-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2118-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/927385\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'otrs2'\n package(s) announced via the DLA-2118-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the jQuery version embedded in OTRS, a ticket\nrequest system, was prone to a cross site scripting vulnerability in\njQuery.extend().\");\n\n script_tag(name:\"affected\", value:\"'otrs2' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n3.3.18-1+deb8u14.\n\nWe recommend that you upgrade your otrs2 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"otrs\", ver:\"3.3.18-1+deb8u14\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"otrs2\", ver:\"3.3.18-1+deb8u14\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:04", "description": "Drupal is prone to a cross-site scripting vulnerability in jQuery.", "cvss3": {}, "published": "2019-04-24T00:00:00", "type": "openvas", "title": "Drupal jQuery XSS Vulnerability (SA-CORE-2019-006) (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-24T00:00:00", "id": "OPENVAS:1361412562310142300", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142300", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142300\");\n script_version(\"2019-04-24T09:29:51+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-24 09:29:51 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-24 09:17:20 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-11358\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal jQuery XSS Vulnerability (SA-CORE-2019-006) (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a cross-site scripting vulnerability in jQuery.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery 3.4.0 includes a fix for some unintended behavior when using\n jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it\n could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch\n previous jQuery versions.\");\n\n script_tag(name:\"affected\", value:\"Drupal 7, 8.5.x or earlier and 8.6.x.\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.66, 8.5.15, 8.6.15 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-006\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.65\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.66\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.5.14\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.15\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.6\", test_version2: \"8.6.14\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.6.15\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-01-29T19:24:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-07T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for jquery (DLA-1777-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891777", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891777\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:00:06 +0000 (Tue, 07 May 2019)\");\n script_name(\"Debian LTS: Security Advisory for jquery (DLA-1777-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1777-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jquery'\n package(s) announced via the DLA-1777-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype\npollution. If an unsanitized source object contained an enumerable __proto__\nproperty, it could extend the native Object.prototype.\");\n\n script_tag(name:\"affected\", value:\"'jquery' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n1.7.2+dfsg-3.2+deb8u6.\n\nWe recommend that you upgrade your jquery packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjs-jquery\", ver:\"1.7.2+dfsg-3.2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-10T17:21:12", "description": "Django is prone to a vulnerability in the bundled jQuery.", "cvss3": {}, "published": "2019-06-26T00:00:00", "type": "openvas", "title": "Django jQuery Vulnerability (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-03-06T00:00:00", "id": "OPENVAS:1361412562310142509", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142509", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:djangoproject:django\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142509\");\n script_version(\"2020-03-06T09:37:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-06 09:37:40 +0000 (Fri, 06 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-26 06:11:17 +0000 (Wed, 26 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-11358\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Django jQuery Vulnerability (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_django_detect_win.nasl\");\n script_mandatory_keys(\"django/windows/detected\");\n\n script_tag(name:\"summary\", value:\"Django is prone to a vulnerability in the bundled jQuery.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery before 3.4.0, mishandles 'jQuery.extend(true, {}, ...)' because of\n 'Object.prototype' pollution. If an unsanitized source object contained an enumerable '__proto__' property, it\n could extend the native 'Object.prototype'.\");\n\n script_tag(name:\"affected\", value:\"Django versions 2.1 before 2.1.9 and 2.2 before 2.2.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.1.9, 2.2.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2019/06/03/2\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!infos = get_app_version_and_location(cpe: CPE, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\nlocation = infos['location'];\n\nif (version_in_range(version: version, test_version: \"2.1\", test_version2: \"2.1.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.1.9\", install_path: location);\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.2\", test_version2: \"2.2.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.2.2\", install_path: location);\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-10T17:21:12", "description": "Django is prone to a vulnerability in the bundled jQuery.", "cvss3": {}, "published": "2019-06-26T00:00:00", "type": "openvas", "title": "Django jQuery Vulnerability (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-03-06T00:00:00", "id": "OPENVAS:1361412562310142508", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142508", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:djangoproject:django\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142508\");\n script_version(\"2020-03-06T09:37:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-06 09:37:40 +0000 (Fri, 06 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-26 06:07:28 +0000 (Wed, 26 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-11358\");\n\n script_tag(name:\"qod_type\", value:\"executable_version_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Django jQuery Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_django_detect_lin.nasl\");\n script_mandatory_keys(\"Django/Linux/Ver\");\n\n script_tag(name:\"summary\", value:\"Django is prone to a vulnerability in the bundled jQuery.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery before 3.4.0, mishandles 'jQuery.extend(true, {}, ...)' because of\n 'Object.prototype' pollution. If an unsanitized source object contained an enumerable '__proto__' property, it\n could extend the native 'Object.prototype'.\");\n\n script_tag(name:\"affected\", value:\"Django versions 2.1 before 2.1.9 and 2.2 before 2.2.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.1.9, 2.2.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2019/06/03/2\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!infos = get_app_version_and_location(cpe: CPE, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\nlocation = infos['location'];\n\nif (version_in_range(version: version, test_version: \"2.1\", test_version2: \"2.1.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.1.9\", install_path: location);\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.2\", test_version2: \"2.2.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.2.2\", install_path: location);\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:28", "description": "jQuery is prone to multiple vulnerabilities regarding property injection in\n Object.prototype.", "cvss3": {}, "published": "2019-04-25T00:00:00", "type": "openvas", "title": "jQuery < 3.4.0 Object Extensions Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-5428"], "modified": "2019-04-25T00:00:00", "id": "OPENVAS:1361412562310142314", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142314", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:jquery:jquery\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142314\");\n script_version(\"2019-04-25T15:35:18+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-25 15:35:18 +0000 (Thu, 25 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-25 15:17:31 +0000 (Thu, 25 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-5428\", \"CVE-2019-11358\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\"); # Patches for lower versions available and likely to be applied\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"jQuery < 3.4.0 Object Extensions Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jquery_detect.nasl\");\n script_mandatory_keys(\"jquery/detected\");\n\n script_tag(name:\"summary\", value:\"jQuery is prone to multiple vulnerabilities regarding property injection in\n Object.prototype.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"jQuery is prone to multiple vulnerabilities:\n\n - A prototype pollution vulnerability exists that allows an attacker to inject properties on Object.prototype.\n (CVE-2019-5428)\n\n - jQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source\n object contained an enumerable __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\");\n\n script_tag(name:\"affected\", value:\"jQuery prior to version 3.4.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.4.0 or later. Patch diffs are available for older versions.\");\n\n script_xref(name:\"URL\", value:\"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/\");\n script_xref(name:\"URL\", value:\"https://github.com/DanielRuf/snyk-js-jquery-174006?files=1\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_is_less(version: version, test_version: \"3.4.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.4.0\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-06-05T01:40:51", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-26T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-84a50e34a9", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2019-05-31T00:00:00", "id": "OPENVAS:1361412562310876414", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876414", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876414\");\n script_version(\"2019-05-31T13:18:49+0000\");\n script_cve_id(\"CVE-2019-11831\", \"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-31 13:18:49 +0000 (Fri, 31 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-26 02:12:13 +0000 (Sun, 26 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-84a50e34a9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-84a50e34a9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the FEDORA-2019-84a50e34a9 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features, Drupal is a Content Management\nSystem written in PHP that can support a variety of websites ranging from\npersonal weblogs to large community-driven websites. Drupal is highly\nconfigurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.67~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:57", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-5f1a2cc839", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877098", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877098", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877098\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-11831\", \"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-08 11:19:26 +0000 (Wed, 08 Jan 2020)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-5f1a2cc839\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-5f1a2cc839\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAZT2BR7AU4WD63STKMHL5PJRTH3ZFZ7\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the FEDORA-2019-5f1a2cc839 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features, Drupal is a Content Management\nSystem written in PHP that can support a variety of websites ranging from\npersonal weblogs to large community-driven websites. Drupal is highly\nconfigurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.69~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:14", "description": "The remote host is missing an update for\n the ", "cvss3": {}, "published": "2019-05-10T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-a06dffab1c", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2012-2922"], "modified": "2019-05-14T00:00:00", "id": "OPENVAS:1361412562310876342", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876342", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876342\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-11358\", \"CVE-2012-2922\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-10 02:11:35 +0000 (Fri, 10 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-a06dffab1c\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-a06dffab1c\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for\n the 'drupal7' package(s) announced via the FEDORA-2019-a06dffab1c advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features,\n Drupal is a Content Management System written in PHP that can support a\n variety of websites ranging from personal weblogs to large community-driven\n websites. Drupal is highly configurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.66~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-29T19:24:33", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-21T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for drupal7 (DLA-1797-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891797", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891797", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891797\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-11358\", \"CVE-2019-11831\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-05-21 02:00:26 +0000 (Tue, 21 May 2019)\");\n script_name(\"Debian LTS: Security Advisory for drupal7 (DLA-1797-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1797-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/927330\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/928688\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-006\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-007\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the DLA-1797-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several security vulnerabilities have been discovered in drupal7, a\nPHP web site platform. The vulnerabilities affect the embedded versions\nof the jQuery JavaScript library and the Typo3 Phar Stream Wrapper\nlibrary.\n\nCVE-2019-11358\n\nIt was discovered that the jQuery version embedded in Drupal was\nprone to a cross site scripting vulnerability in jQuery.extend().\n\nCVE-2019-11831\n\nIt was discovered that incomplete validation in a Phar processing\nlibrary embedded in Drupal, a fully-featured content management\nframework, could result in information disclosure.\n\nFor additional information, please see the referenced upstream advisories.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n7.32-1+deb8u17.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.32-1+deb8u17\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-09T14:36:06", "description": "Joomla! is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2019-04-15T00:00:00", "type": "openvas", "title": "Joomla < 3.9.5 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-10946", "CVE-2019-10945"], "modified": "2019-10-07T00:00:00", "id": "OPENVAS:1361412562310113369", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113369", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113369\");\n script_version(\"2019-10-07T14:34:48+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 14:34:48 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-15 11:12:47 +0000 (Mon, 15 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2019-10945\", \"CVE-2019-10946\", \"CVE-2019-11358\");\n\n script_name(\"Joomla < 3.9.5 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"joomla_detect.nasl\");\n script_mandatory_keys(\"joomla/installed\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The Media Manager component does not properly sanitize the folder parameter,\n allowing attackers to act outside the media manager root directory\n\n - The 'refresh list of helpsites' endpoint of com_users lacks access checks,\n allowing calls from unauthenticated users\n\n - The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks (CVE-2019-11358)\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to access sensitive information\n or execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Joomla! through version 3.9.4.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.9.5.\");\n\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/778-20190402-core-helpsites-refresh-endpoint-callable-for-unauthenticated-users\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre.html\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:joomla:joomla\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"3.9.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.9.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-05T01:40:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-26T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-040857fd75", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831", "CVE-2012-2922"], "modified": "2019-05-31T00:00:00", "id": "OPENVAS:1361412562310876410", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876410", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876410\");\n script_version(\"2019-05-31T13:18:49+0000\");\n script_cve_id(\"CVE-2019-11831\", \"CVE-2019-11358\", \"CVE-2012-2922\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-31 13:18:49 +0000 (Fri, 31 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-26 02:12:06 +0000 (Sun, 26 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-040857fd75\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-040857fd75\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the FEDORA-2019-040857fd75 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features, Drupal is a Content Management\nSystem written in PHP that can support a variety of websites ranging from\npersonal weblogs to large community-driven websites. Drupal is highly\nconfigurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.67~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:17", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-f563e66380", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2018-7602", "CVE-2012-2922"], "modified": "2019-05-14T00:00:00", "id": "OPENVAS:1361412562310876331", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876331", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876331\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-11358\", \"CVE-2012-2922\", \"CVE-2018-7602\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-09 02:13:20 +0000 (Thu, 09 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-f563e66380\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-f563e66380\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'drupal7' package(s) announced via the FEDORA-2019-f563e66380 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features,\n Drupal is a Content Management System written in PHP that can support a variety\n of websites ranging from personal weblogs to large community-driven websites.\n Drupal is highly configurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.66~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-05T01:40:47", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-26T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2019-41d6ffd6f0", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2018-7602", "CVE-2019-11831", "CVE-2012-2922"], "modified": "2019-05-31T00:00:00", "id": "OPENVAS:1361412562310876417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876417", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876417\");\n script_version(\"2019-05-31T13:18:49+0000\");\n script_cve_id(\"CVE-2019-11831\", \"CVE-2019-11358\", \"CVE-2012-2922\", \"CVE-2018-7602\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-31 13:18:49 +0000 (Fri, 31 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-26 02:12:18 +0000 (Sun, 26 May 2019)\");\n script_name(\"Fedora Update for drupal7 FEDORA-2019-41d6ffd6f0\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-41d6ffd6f0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the FEDORA-2019-41d6ffd6f0 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Equipped with a powerful blend of features, Drupal is a Content Management\nSystem written in PHP that can support a variety of websites ranging from\npersonal weblogs to large community-driven websites. Drupal is highly\nconfigurable, skinnable, and secure.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.67~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:19", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-7eaf0bbe7c", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-10911", "CVE-2019-10910", "CVE-2019-10909"], "modified": "2019-05-23T00:00:00", "id": "OPENVAS:1361412562310876325", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876325", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876325\");\n script_version(\"2019-05-23T07:06:55+0000\");\n script_cve_id(\"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-23 07:06:55 +0000 (Thu, 23 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-09 02:13:14 +0000 (Thu, 09 May 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-7eaf0bbe7c\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7eaf0bbe7c\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'drupal8' package(s) announced via the FEDORA-2019-7eaf0bbe7c advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management\n platform powering millions of websites and applications. Its built, used, and\n supported by an active and diverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.15~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:17", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-eba8e44ee6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-10911", "CVE-2019-10910", "CVE-2019-10909"], "modified": "2019-05-23T00:00:00", "id": "OPENVAS:1361412562310876319", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876319", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876319\");\n script_version(\"2019-05-23T07:06:55+0000\");\n script_cve_id(\"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-11358\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-23 07:06:55 +0000 (Thu, 23 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-08 02:09:55 +0000 (Wed, 08 May 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-eba8e44ee6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-eba8e44ee6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-eba8e44ee6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.15~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:27:18", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for python-Django (openSUSE-SU-2019:1839-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-14233", "CVE-2019-14235", "CVE-2019-12781", "CVE-2019-14234", "CVE-2019-12308", "CVE-2019-14232"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852959", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852959", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852959\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-11358\", \"CVE-2019-12308\", \"CVE-2019-12781\", \"CVE-2019-14232\",\n \"CVE-2019-14233\", \"CVE-2019-14234\", \"CVE-2019-14235\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 09:47:56 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"openSUSE: Security Advisory for python-Django (openSUSE-SU-2019:1839-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1839-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-Django'\n package(s) announced via the openSUSE-SU-2019:1839-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for python-Django fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-11358: Fixed prototype pollution.\n\n - CVE-2019-12308: Fixed XSS in AdminURLFieldWidget (bsc#1136468)\n\n - CVE-2019-12781: Fixed incorrect HTTP detection with reverse-proxy\n connecting via HTTPS (bsc#1139945).\n\n - CVE-2019-14232: Fixed denial-of-service possibility in\n ``django.utils.text.Truncator`` (bsc#1142880).\n\n - CVE-2019-14233: Fixed denial-of-service possibility in ``strip_tags()``\n (bsc#1142882).\n\n - CVE-2019-14234: Fixed SQL injection possibility in key and index lookups\n for ``JSONField``/``HStoreField`` (bsc#1142883).\n\n - CVE-2019-14235: Fixed potential memory exhaustion in\n ``django.utils.encoding.uri_to_iri()`` (bsc#1142885).\n\n Non-security issues fixed:\n\n - Fixed a migration crash on PostgreSQL when adding a check constraint\n with a contains lookup on DateRangeField or DateTimeRangeField, if the\n right hand side of an expression is the same type.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1839=1\");\n\n script_tag(name:\"affected\", value:\"'python-Django' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-Django\", rpm:\"python3-Django~2.2.4~lp151.2.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-22T13:49:17", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-13T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4460-1 (mediawiki - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-12472", "CVE-2019-12474", "CVE-2019-12471", "CVE-2019-12473", "CVE-2019-12470", "CVE-2019-12467", "CVE-2019-12466", "CVE-2019-12469", "CVE-2019-12468"], "modified": "2019-07-22T00:00:00", "id": "OPENVAS:1361412562310704460", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704460", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704460\");\n script_version(\"2019-07-22T07:46:43+0000\");\n script_cve_id(\"CVE-2019-11358\", \"CVE-2019-12466\", \"CVE-2019-12467\", \"CVE-2019-12468\", \"CVE-2019-12469\", \"CVE-2019-12470\", \"CVE-2019-12471\", \"CVE-2019-12472\", \"CVE-2019-12473\", \"CVE-2019-12474\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-22 07:46:43 +0000 (Mon, 22 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-13 02:00:12 +0000 (Thu, 13 Jun 2019)\");\n script_name(\"Debian Security Advisory DSA 4460-1 (mediawiki - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4460.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4460-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the DSA-4460-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security vulnerabilities have been discovered in MediaWiki, a\nwebsite engine for collaborative work, which may result in authentication\nbypass, denial of service, cross-site scripting, information disclosure\nand bypass of anti-spam measures.\");\n\n script_tag(name:\"affected\", value:\"'mediawiki' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 1:1.27.7-1~deb9u1.\n\nWe recommend that you upgrade your mediawiki packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.27.7-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mediawiki-classes\", ver:\"1:1.27.7-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2018-7600", "CVE-2019-10911", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2019-10910", "CVE-2019-10909", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310876320", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876320", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876320\");\n script_version(\"2019-05-17T10:04:07+0000\");\n script_cve_id(\"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-11358\", \"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:04:07 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-08 02:09:58 +0000 (Wed, 08 May 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-1a3edd7e8a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-1a3edd7e8a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.15~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-27T00:03:01", "description": "# jquery-prototype-pollution-fix\nA fix for CVE-2019-11...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-07-18T19:15:33", "type": "githubexploit", "title": "Exploit for Prototype Pollution in Jquery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2021-12-05T21:57:04", "id": "E83D6606-6F89-5700-B703-B87CF90D6565", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-14T05:01:24", "description": "## NOTICE\n\nThis repository contains the public FTC SDK for the S...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-03-08T11:34:11", "type": "githubexploit", "title": "Exploit for Prototype Pollution in Jquery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2022-08-14T04:50:09", "id": "2B8C7714-D2D7-50C4-BEB8-B616BD51A554", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-04-11T20:46:03", "description": "[jQuery](https://jquery.com/) \u2014 New Wave JavaScript\n============...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-01T09:18:58", "type": "githubexploit", "title": "Exploit for Prototype Pollution in Jquery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-12-09T13:00:53", "id": "B38C8387-765B-587E-BBED-9336E586B3E2", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "This repository contains the patches for [CVE-2019-11358 - proto...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-03-30T10:03:36", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Jquery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5428", "CVE-2019-11358"], "modified": "2021-11-08T16:11:47", "id": "C7E2EC97-A49D-5063-BC43-995A0E058FCF", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-04-02T19:35:55", "description": "This repository contains the patches for [CVE-2020-11022](https:...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-14T19:12:01", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Jquery", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-5428", "CVE-2020-1102", "CVE-2020-11022", "CVE-2020-11023"], "modified": "2022-04-02T09:19:46", "id": "C0148A2C-75C9-5375-AE2F-DBEDCCD0999F", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "atlassian": [{"lastseen": "2021-07-28T14:40:51", "description": "The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 (https://nvd.nist.gov/vuln/detail/CVE-2019-11358). This was fixed by patching the version of jQuery bundled with Fisheye.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-07-08T22:50:18", "type": "atlassian", "title": "Address CVE-2019-11358 in the bundled version of jQuery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-07-22T10:23:16", "id": "ATLASSIAN:FE-7196", "href": "https://jira.atlassian.com/browse/FE-7196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T23:19:49", "description": "The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 (https://nvd.nist.gov/vuln/detail/CVE-2019-11358). This was fixed by patching the version of jQuery bundled with Crucible.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-07-08T22:57:45", "type": "atlassian", "title": "Address CVE-2019-11358 in the bundled version of jQuery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-07T06:19:33", "id": "CRUC-8408", "href": "https://jira.atlassian.com/browse/CRUC-8408", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T23:13:48", "description": "The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 (https://nvd.nist.gov/vuln/detail/CVE-2019-11358). This was fixed by patching the version of jQuery bundled with Fisheye.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-07-08T22:50:18", "type": "atlassian", "title": "Address CVE-2019-11358 in the bundled version of jQuery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-07-22T10:23:16", "id": "FE-7196", "href": "https://jira.atlassian.com/browse/FE-7196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T22:53:15", "description": "The version of jQuery used in Jira before 8.2.3 was vulnerable to CVE-2019-11358. This issue was addressed by updating Jira server to use a patched & custom version of jQuery (2.2.4.7).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-08-01T05:11:29", "type": "atlassian", "title": "Update jQuery to address CVE-2019-11358", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2022-04-20T18:54:53", "id": "JRASERVER-69725", "href": "https://jira.atlassian.com/browse/JRASERVER-69725", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-07T23:48:06", "description": "Bitbucket Server comes with jQuery version 2.2.4. This version of jQuery is vulnerable to a security bug (CVE-2019-11358, [https://nvd.nist.gov/vuln/detail/CVE-2019-11358]) which is only fixed in jQuery 3.4.0.\r\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-05-13T01:57:29", "type": "atlassian", "title": "jQuery 2.2.4 is vulnerable to prototype pollution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2022-04-20T18:54:56", "id": "BSERV-11753", "href": "https://jira.atlassian.com/browse/BSERV-11753", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:40:33", "description": "Bitbucket Server comes with jQuery version 2.2.4. This version of jQuery is vulnerable to a security bug (CVE-2019-11358, [https://nvd.nist.gov/vuln/detail/CVE-2019-11358]) which is only fixed in jQuery 3.4.0.\r\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-05-13T01:57:29", "type": "atlassian", "title": "jQuery 2.2.4 is vulnerable to prototype pollution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-12-10T04:31:40", "id": "ATLASSIAN:BSERV-11753", "href": "https://jira.atlassian.com/browse/BSERV-11753", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:40:45", "description": "The version of jQuery used in Jira before 8.2.3 was vulnerable to CVE-2019-11358. This issue was addressed by updating Jira server to use a patched & custom version of jQuery (2.2.4.7).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-08-01T05:11:29", "type": "atlassian", "title": "Update jQuery to address CVE-2019-11358", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2021-04-27T01:58:57", "id": "ATLASSIAN:JRASERVER-69725", "href": "https://jira.atlassian.com/browse/JRASERVER-69725", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:40:33", "description": "The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 (https://nvd.nist.gov/vuln/detail/CVE-2019-11358). This was fixed by patching the version of jQuery bundled with Crucible.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-07-08T22:57:45", "type": "atlassian", "title": "Address CVE-2019-11358 in the bundled version of jQuery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-07T06:19:33", "id": "ATLASSIAN:CRUC-8408", "href": "https://jira.atlassian.com/browse/CRUC-8408", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-05-11T13:20:19", "description": "h3. Issue Summary\r\njQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. Jira uses jQuery 2.2.4 (as of Jira 8.8.0) \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-9251\r\n\r\nh3. Steps to Reproduce\r\n-\r\nh3. Expected Results\r\nJira uses jQuery v3.0.0 or newer.\r\n\r\nh3. Actual Results\r\nJira uses jQuery 2.2.4\r\n\r\nh3. Workaround\r\n Currently there is no known workaround for this behavior. A workaround will be added here when available", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2020-04-20T13:29:57", "type": "atlassian", "title": "Jira uses vulnerable jQuery version CVE-2015-9251", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358"], "modified": "2020-05-11T09:26:15", "id": "ATLASSIAN:JRASERVER-70929", "href": "https://jira.atlassian.com/browse/JRASERVER-70929", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-08-03T05:46:08", "description": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-18T00:15:31", "type": "redhatcve", "title": "CVE-2019-11358", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2023-07-22T08:41:55", "id": "RH:CVE-2019-11358", "href": "https://access.redhat.com/security/cve/cve-2019-11358", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2021-10-22T12:16:36", "description": "Package : jquery\nVersion : 1.7.2+dfsg-3.2+deb8u6\nCVE ID : CVE-2019-11358\n\njQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype\npollution. If an unsanitized source object contained an enumerable __proto__\nproperty, it could extend the native Object.prototype. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2019-006 .\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n1.7.2+dfsg-3.2+deb8u6.\n\nWe recommend that you upgrade your jquery packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-05-06T07:42:05", "type": "debian", "title": "[SECURITY] [DLA 1777-1] jquery security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-05-06T07:42:05", "id": "DEBIAN:DLA-1777-1:55799", "href": "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-03-05T21:24:36", "description": "Package : otrs2\nVersion : 3.3.18-1+deb8u14\nCVE ID : CVE-2019-11358\nDebian Bug : 927385\n\n\nIt was discovered that the jQuery version embedded in OTRS, a ticket\nrequest system, was prone to a cross site scripting vulnerability in\njQuery.extend().\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n3.3.18-1+deb8u14.\n\nWe recommend that you upgrade your otrs2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-02-24T17:03:32", "type": "debian", "title": "[SECURITY] [DLA 2118-1] otrs2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-02-24T17:03:32", "id": "DEBIAN:DLA-2118-1:5E0A4", "href": "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-04T15:21:39", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4434-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 20, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2019-11358\nDebian Bug : 927330\n\nA cross-site scripting vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2019-006 .\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u8.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-04-20T12:03:09", "type": "debian", "title": "[SECURITY] [DSA 4434-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-20T12:03:09", "id": "DEBIAN:DSA-4434-1:D2F07", "href": "https://lists.debian.org/debian-security-announce/2019/msg00078.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-21T18:47:38", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4434-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 20, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2019-11358\nDebian Bug : 927330\n\nA cross-site scripting vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2019-006 .\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u8.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-04-20T12:03:09", "type": "debian", "title": "[SECURITY] [DSA 4434-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-20T12:03:09", "id": "DEBIAN:DSA-4434-1:82FB6", "href": "https://lists.debian.org/debian-security-announce/2019/msg00078.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-03-25T11:41:30", "description": "Package : drupal7\nVersion : 7.32-1+deb8u17\nCVE ID : CVE-2019-11358 CVE-2019-11831\nDebian Bug : 927330 928688\n\nSeveral security vulnerabilities have been discovered in drupal7, a\nPHP web site platform. The vulnerabilities affect the embedded versions\nof the jQuery JavaScript library and the Typo3 Phar Stream Wrapper\nlibrary.\n\nCVE-2019-11358\n\n It was discovered that the jQuery version embedded in Drupal was\n prone to a cross site scripting vulnerability in jQuery.extend().\n\n For additional information, please refer to the upstream advisory\n at https://www.drupal.org/sa-core-2019-006.\n\nCVE-2019-11831\n\n It was discovered that incomplete validation in a Phar processing\n library embedded in Drupal, a fully-featured content management\n framework, could result in information disclosure.\n\n For additional information, please refer to the upstream advisory\n at https://www.drupal.org/sa-core-2019-007.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n7.32-1+deb8u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n\n- -- \nJonas Meurer", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-20T14:21:50", "type": "debian", "title": "[SECURITY] [DLA 1797-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2019-05-20T14:21:50", "id": "DEBIAN:DLA-1797-1:1A7B8", "href": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:14:32", "description": "Package : drupal7\nVersion : 7.32-1+deb8u17\nCVE ID : CVE-2019-11358 CVE-2019-11831\nDebian Bug : 927330 928688\n\nSeveral security vulnerabilities have been discovered in drupal7, a\nPHP web site platform. The vulnerabilities affect the embedded versions\nof the jQuery JavaScript library and the Typo3 Phar Stream Wrapper\nlibrary.\n\nCVE-2019-11358\n\n It was discovered that the jQuery version embedded in Drupal was\n prone to a cross site scripting vulnerability in jQuery.extend().\n\n For additional information, please refer to the upstream advisory\n at https://www.drupal.org/sa-core-2019-006.\n\nCVE-2019-11831\n\n It was discovered that incomplete validation in a Phar processing\n library embedded in Drupal, a fully-featured content management\n framework, could result in information disclosure.\n\n For additional information, please refer to the upstream advisory\n at https://www.drupal.org/sa-core-2019-007.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n7.32-1+deb8u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n\n- -- \nJonas Meurer", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-20T14:21:50", "type": "debian", "title": "[SECURITY] [DLA 1797-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2019-05-20T14:21:50", "id": "DEBIAN:DLA-1797-1:A2877", "href": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-04T15:20:35", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4460-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 12, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki\nCVE ID : CVE-2019-11358 CVE-2019-12466 CVE-2019-12467 CVE-2019-12468 \n CVE-2019-12469 CVE-2019-12470 CVE-2019-12471 CVE-2019-12472 \n CVE-2019-12473 CVE-2019-12474\n\nMultiple security vulnerabilities have been discovered in MediaWiki, a\nwebsite engine for collaborative work, which may result in authentication\nbypass, denial of service, cross-site scripting, information disclosure\nand bypass of anti-spam measures.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:1.27.7-1~deb9u1.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFor the detailed security status of mediawiki please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/mediawiki\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-11T22:27:04", "type": "debian", "title": "[SECURITY] [DSA 4460-1] mediawiki security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358", "CVE-2019-12466", "CVE-2019-12467", "CVE-2019-12468", "CVE-2019-12469", "CVE-2019-12470", "CVE-2019-12471", "CVE-2019-12472", "CVE-2019-12473", "CVE-2019-12474"], "modified": "2019-06-11T22:27:04", "id": "DEBIAN:DSA-4460-1:50632", "href": "https://lists.debian.org/debian-security-announce/2019/msg00106.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T18:49:28", "description": "### Description\n\nJQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. JQuery versions prior to 3.4.0 are vulnerable.\n\n### Technologies Affected\n\n * Backdrop Backdrop 1.11.0 \n * Backdrop Backdrop 1.11.1 \n * Backdrop Backdrop 1.11.2 \n * Backdrop Backdrop 1.11.3 \n * Backdrop Backdrop 1.11.4 \n * Backdrop Backdrop 1.11.5 \n * Backdrop Backdrop 1.11.6 \n * Backdrop Backdrop 1.11.7 \n * Backdrop Backdrop 1.11.8 \n * Backdrop Backdrop 1.12.0 \n * Backdrop Backdrop 1.12.1 \n * Backdrop Backdrop 1.12.2 \n * Backdrop Backdrop 1.12.3 \n * Backdrop Backdrop 1.12.4 \n * Backdrop Backdrop 1.12.5 \n * Drupal Drupal 7 \n * Drupal Drupal 7.0 \n * Drupal Drupal 7.10 \n * Drupal Drupal 7.11 \n * Drupal Drupal 7.12 \n * Drupal Drupal 7.13 \n * Drupal Drupal 7.14 \n * Drupal Drupal 7.15 \n * Drupal Drupal 7.16 \n * Drupal Drupal 7.17 \n * Drupal Drupal 7.19 \n * Drupal Drupal 7.20 \n * Drupal Drupal 7.21 \n * Drupal Drupal 7.22 \n * Drupal Drupal 7.23 \n * Drupal Drupal 7.24 \n * Drupal Drupal 7.25 \n * Drupal Drupal 7.26 \n * Drupal Drupal 7.27 \n * Drupal Drupal 7.28 \n * Drupal Drupal 7.29 \n * Drupal Drupal 7.30 \n * Drupal Drupal 7.31 \n * Drupal Drupal 7.32 \n * Drupal Drupal 7.33 \n * Drupal Drupal 7.34 \n * Drupal Drupal 7.35 \n * Drupal Drupal 7.36 \n * Drupal Drupal 7.37 \n * Drupal Drupal 7.38 \n * Drupal Drupal 7.39 \n * Drupal Drupal 7.4 \n * Drupal Drupal 7.40 \n * Drupal Drupal 7.41 \n * Drupal Drupal 7.42 \n * Drupal Drupal 7.44 \n * Drupal Drupal 7.5 \n * Drupal Drupal 7.52 \n * Drupal Drupal 7.54 \n * Drupal Drupal 7.55 \n * Drupal Drupal 7.56 \n * Drupal Drupal 7.57 \n * Drupal Drupal 7.58 \n * Drupal Drupal 7.59 \n * Drupal Drupal 7.62 \n * Drupal Drupal 7.65 \n * Drupal Drupal 7.8 \n * Drupal Drupal 7.9 \n * Drupal Drupal 8.5 \n * Drupal Drupal 8.5.0 \n * Drupal Drupal 8.5.1 \n * Drupal Drupal 8.5.11 \n * Drupal Drupal 8.5.14 \n * Drupal Drupal 8.5.2 \n * Drupal Drupal 8.5.3 \n * Drupal Drupal 8.5.6 \n * Drupal Drupal 8.5.7 \n * Drupal Drupal 8.5.8 \n * Drupal Drupal 8.5.9 \n * Drupal Drupal 8.6 \n * Drupal Drupal 8.6.1 \n * Drupal Drupal 8.6.10 \n * Drupal Drupal 8.6.13 \n * Drupal Drupal 8.6.2 \n * Drupal Drupal 8.6.3 \n * Drupal Drupal 8.6.4 \n * Drupal Drupal 8.6.5 \n * Drupal Drupal 8.6.6 \n * Oracle ADF 11.1.1.9.0 \n * Oracle ADF 12.1.3.0.0 \n * Oracle ADF 12.2.1.3.0 \n * Oracle Agile Product Lifecycle Management for Process 6.2.0.0 \n * Oracle Agile Product Lifecycle Management for Process 6.2.1.0 \n * Oracle Agile Product Lifecycle Management for Process 6.2.2.0 \n * Oracle Agile Product Lifecycle Management for Process 6.2.3.0 \n * Oracle Application Testing Suite 13.2 \n * Oracle Application Testing Suite 13.3 \n * Oracle Banking Platform 2.4.0 \n * Oracle Banking Platform 2.4.1 \n * Oracle Banking Platform 2.5 \n * Oracle Banking Platform 2.5.0 \n * Oracle Banking Platform 2.6 \n * Oracle Banking Platform 2.6.0 \n * Oracle Banking Platform 2.6.1 \n * Oracle Banking Platform 2.6.2 \n * Oracle Banking Platform 2.7.1 \n * Oracle Communications Billing and Revenue Management 12.0 \n * Oracle Communications Billing and Revenue Management 7.5 \n * Oracle Diagnostic Assistant 2.12.36 \n * Oracle Enterprise Manager Ops Center 12.3.3 \n * Oracle Enterprise Manager Ops Center 12.4.0 \n * Oracle Financial Services Analytical Applications Infrastructure 7.3.3 \n * Oracle Financial Services Analytical Applications Infrastructure 7.3.4 \n * Oracle Financial Services Analytical Applications Infrastructure 7.3.5 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.2 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.3 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.4 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.5 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.6 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.7 \n * Oracle Financial Services Analytical Applications Infrastructure 8.0.8 \n * Oracle Financial Services Analytical Applications Reconciliation Framew 8.0.4 \n * Oracle Financial Services Analytical Applications Reconciliation Framew 8.0.7 \n * Oracle Financial Services Asset Liability Management 8.0.4 \n * Oracle Financial Services Asset Liability Management 8.0.5 \n * Oracle Financial Services Asset Liability Management 8.0.7 \n * Oracle Financial Services Basel Regulatory Capital Basic 8.0.4 \n * Oracle Financial Services Basel Regulatory Capital Basic 8.0.7 \n * Oracle Financial Services Basel Regulatory Capital Internal Ratings Bas 8.0.4 \n * Oracle Financial Services Basel Regulatory Capital Internal Ratings Bas 8.0.7 \n * Oracle Financial Services Data Foundation 8.0.4 \n * Oracle Financial Services Data Foundation 8.0.5 \n * Oracle Financial Services Data Foundation 8.0.8 \n * Oracle Financial Services Data Integration Hub 8.0.5 \n * Oracle Financial Services Data Integration Hub 8.0.7 \n * Oracle Financial Services Enterprise Financial Performance Analytics 8.0.6 \n * Oracle Financial Services Enterprise Financial Performance Analytics 8.0.7 \n * Oracle Financial Services Funds Transfer Pricing 8.0.4 \n * Oracle Financial Services Funds Transfer Pricing 8.0.5 \n * Oracle Financial Services Funds Transfer Pricing 8.0.7 \n * Oracle Financial Services Hedge Management and IFRS Valuations 8.0.4 \n * Oracle Financial Services Hedge Management and IFRS Valuations 8.0.5 \n * Oracle Financial Services Hedge Management and IFRS Valuations 8.0.7 \n * Oracle Financial Services Institutional Performance Analytics 8.0.4 \n * Oracle Financial Services Institutional Performance Analytics 8.0.5 \n * Oracle Financial Services Institutional Performance Analytics 8.0.7 \n * Oracle Financial Services Liquidity Risk Management 8.0.1 \n * Oracle Financial Services Liquidity Risk Management 8.0.2 \n * Oracle Financial Services Liquidity Risk Management 8.0.4 \n * Oracle Financial Services Liquidity Risk Management 8.0.5 \n * Oracle Financial Services Liquidity Risk Management 8.0.6 \n * Oracle Financial Services Liquidity Risk Measurement and Management 8.0.7 \n * Oracle Financial Services Liquidity Risk Measurement and Management 8.0.8 \n * Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.2 \n * Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.3 \n * Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.4 \n * Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.5 \n * Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.7 \n * Oracle Financial Services Market Risk Measurement and Management 8.0.5 \n * Oracle Financial Services Market Risk Measurement and Management 8.0.6 \n * Oracle Financial Services Market Risk Measurement and Management 8.0.8 \n * Oracle Financial Services Price Creation and Discovery 8.0.4 \n * Oracle Financial Services Price Creation and Discovery 8.0.5 \n * Oracle Financial Services Price Creation and Discovery 8.0.7 \n * Oracle Financial Services Profitability Management 8.0.4 \n * Oracle Financial Services Profitability Management 8.0.5 \n * Oracle Financial Services Profitability Management 8.0.6 \n * Oracle Financial Services Profitability Management 8.0.7 \n * Oracle Financial Services Regulatory Reporting for European Banking Aut 8.0.6 \n * Oracle Financial Services Regulatory Reporting for European Banking Aut 8.0.7 \n * Oracle Financial Services Regulatory Reporting for US Federal Reserve 8.0.4 \n * Oracle Financial Services Regulatory Reporting for US Federal Reserve 8.0.7 \n * Oracle Financial Services Retail Customer Analytics 8.0.4 \n * Oracle Financial Services Retail Customer Analytics 8.0.5 \n * Oracle Financial Services Retail Customer Analytics 8.0.6 \n * Oracle Financial Services Retail Performance Analytics 8.0.6 \n * Oracle Financial Services Retail Performance Analytics 8.0.7 \n * Oracle Financial Services Revenue Management and Billing 2.4.0.0.0 \n * Oracle Financial Services Revenue Management and Billing 2.4.0.1 \n * Oracle Healthcare Foundation 7.1.1 \n * Oracle Healthcare Foundation 7.2.2 \n * Oracle Healthcare Translational Research 3.1.0 \n * Oracle Healthcare Translational Research 3.2.1 \n * Oracle Healthcare Translational Research 3.3.1 \n * Oracle Hospitality Guest Access 4.2.0 \n * Oracle Hospitality Guest Access 4.2.1 \n * Oracle Hospitality Materials Control 18.1 \n * Oracle Insurance Allocation Manager for Enterprise Profitability 8.0.8 \n * Oracle Insurance Data Foundation 8.0.4 \n * Oracle Insurance Data Foundation 8.0.5 \n * Oracle Insurance Data Foundation 8.0.7 \n * Oracle Insurance IFRS 17 Analyzer 8.0.6 \n * Oracle Insurance IFRS 17 Analyzer 8.0.7 \n * Oracle Insurance Performance Insight 8.0.7 \n * Oracle JDeveloper 11.1.1.9.0 \n * Oracle JDeveloper 12.1.3.0.0 \n * Oracle JDeveloper 12.2.1.3.0 \n * Oracle OFS REG REP EBA 8.0.6 \n * Oracle OFS REG REP EBA 8.0.7 \n * Oracle OFS REG REP RBI 8.0.7 \n * Oracle OFS REG REP US FED 8.0.4 \n * Oracle OFS REG REP US FED 8.0.7 \n * Oracle PeopleSoft Enterprise PeopleTools 8.55 \n * Oracle PeopleSoft Enterprise PeopleTools 8.56 \n * Oracle PeopleSoft Enterprise PeopleTools 8.57 \n * Oracle Policy Automation 10.4.7 \n * Oracle Policy Automation 12.1.0 \n * Oracle Policy Automation 12.1.1 \n * Oracle Policy Automation 12.2.0 \n * Oracle Policy Automation 12.2.1 \n * Oracle Policy Automation 12.2.10 \n * Oracle Policy Automation 12.2.15 \n * Oracle Policy Automation 12.2.2 \n * Oracle Policy Automation 12.2.3 \n * Oracle Policy Automation 12.2.7 \n * Oracle Policy Automation 12.2.8 \n * Oracle Policy Automation 12.2.9 \n * Oracle Policy Automation Connector for Siebel 10.4.6 \n * Oracle Policy Automation for Mobile Devices 12.2.0 \n * Oracle Policy Automation for Mobile Devices 12.2.10 \n * Oracle Policy Automation for Mobile Devices 12.2.15 \n * Oracle Policy Automation for Mobile Devices 12.2.4 \n * Oracle Policy Automation for Mobile Devices 12.2.5 \n * Oracle Policy Automation for Mobile Devices 12.2.6 \n * Oracle Policy Automation for Mobile Devices 12.2.7 \n * Oracle Policy Automation for Mobile Devices 12.2.8 \n * Oracle Policy Automation for Mobile Devices 12.2.9 \n * Oracle Primavera Unifier 16.1 \n * Oracle Primavera Unifier 16.2 \n * Oracle Primavera Unifier 17.12 \n * Oracle Primavera Unifier 17.7 \n * Oracle Primavera Unifier 18.8 \n * Oracle Retail Customer Insights 15.0 \n * Oracle Retail Customer Insights 16.0 \n * Oracle Service Bus 11.1.1.9.0 \n * Oracle Service Bus 12.1.3.0.0 \n * Oracle Service Bus 12.2.1.3.0 \n * Oracle Siebel Applications 19.0 \n * Oracle Siebel Applications 19.3 \n * Oracle Siebel Applications 19.8 \n * Oracle System Utilities 19.1 \n * Oracle Weblogic Server 10.3.6.0 \n * Oracle Weblogic Server 12.1.3.0.0 \n * Oracle Weblogic Server 12.2.1.3.0 \n * jQuery jQuery 1.0.0 \n * jQuery jQuery 1.0.1 \n * jQuery jQuery 1.10.0 \n * jQuery jQuery 1.6 \n * jQuery jQuery 1.6.1 \n * jQuery jQuery 1.6.2 \n * jQuery jQuery 1.6.3 \n * jQuery jQuery 1.6.4 \n * jQuery jQuery 1.7.1 \n * jQuery jQuery 1.8.1 \n * jQuery jQuery 1.9.0 \n * jQuery jQuery 2.2 \n * jQuery jQuery 3.0.0 \n * jQuery jQuery 3.1 \n * jQuery jQuery 3.1.0 \n * jQuery jQuery 3.1.1 \n * jQuery jQuery 3.2 \n * jQuery jQuery 3.2.0 \n * jQuery jQuery 3.2.1 \n * jQuery jQuery 3.3 \n * jQuery jQuery 3.3.0 \n * jQuery jQuery 3.3.1 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue allows malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-04-17T00:00:00", "type": "symantec", "title": "JQuery CVE-2019-11358 Cross Site Scripting Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-04-17T00:00:00", "id": "SMNTC-108023", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/108023", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2023-02-21T21:42:05", "description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. ([CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-04-14T04:35:00", "type": "f5", "title": "jQuery vulnerability CVE-2019-11358", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11358"], "modified": "2020-04-14T04:35:00", "id": "F5:K20455158", "href": "https://support.f5.com/csp/article/K20455158", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-09-10T03:24:49", "description": "It was discovered that the jQuery version embedded in OTRS, a ticket request system, was prone to a cross site scripting vulnerability in jQuery.extend().\n\nFor Debian 8 'Jessie', this problem has been fixed in version 3.3.18-1+deb8u14.\n\nWe recommend that you upgrade your otrs2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "nessus", "title": "Debian DLA-2118-1 : otrs2 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:otrs", "p-cpe:/a:debian:debian_linux:otrs2", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2118.NASL", "href": "https://www.tenable.com/plugins/nessus/133967", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2118-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133967);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Debian DLA-2118-1 : otrs2 security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that the jQuery version embedded in OTRS, a ticket\nrequest system, was prone to a cross site scripting vulnerability in\njQuery.extend().\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n3.3.18-1+deb8u14.\n\nWe recommend that you upgrade your otrs2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/otrs2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected otrs, and otrs2 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:otrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:otrs2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"otrs\", reference:\"3.3.18-1+deb8u14\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"otrs2\", reference:\"3.3.18-1+deb8u14\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-10T03:30:26", "description": "The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:1325 advisory.\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-04-07T00:00:00", "type": "nessus", "title": "RHEL 8 : python-XStatic-jQuery (RHSA-2020:1325)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:python3-xstatic-jquery"], "id": "REDHAT-RHSA-2020-1325.NASL", "href": "https://www.tenable.com/plugins/nessus/135256", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1325. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135256);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_bugtraq_id(108023);\n script_xref(name:\"IAVA\", value:\"2019-A-0384\");\n script_xref(name:\"IAVA\", value:\"2020-A-0017\");\n script_xref(name:\"RHSA\", value:\"2020:1325\");\n script_xref(name:\"IAVA\", value:\"2020-A-0150\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 8 : python-XStatic-jQuery (RHSA-2020:1325)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in\nthe RHSA-2020:1325 advisory.\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or\n property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1325\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1701972\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python3-XStatic-jQuery package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-XStatic-jQuery\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/ppc64le/openstack-deployment-tools/15/debug',\n 'content/dist/layered/rhel8/ppc64le/openstack-deployment-tools/15/os',\n 'content/dist/layered/rhel8/ppc64le/openstack-deployment-tools/15/source/SRPMS',\n 'content/dist/layered/rhel8/ppc64le/openstack-devtools/15/debug',\n 'content/dist/layered/rhel8/ppc64le/openstack-devtools/15/os',\n 'content/dist/layered/rhel8/ppc64le/openstack-devtools/15/source/SRPMS',\n 'content/dist/layered/rhel8/ppc64le/openstack/15/debug',\n 'content/dist/layered/rhel8/ppc64le/openstack/15/os',\n 'content/dist/layered/rhel8/ppc64le/openstack/15/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/openstack-deployment-tools/15/debug',\n 'content/dist/layered/rhel8/x86_64/openstack-deployment-tools/15/os',\n 'content/dist/layered/rhel8/x86_64/openstack-deployment-tools/15/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/openstack-devtools/15/debug',\n 'content/dist/layered/rhel8/x86_64/openstack-devtools/15/os',\n 'content/dist/layered/rhel8/x86_64/openstack-devtools/15/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/openstack-tools/15/debug',\n 'content/dist/layered/rhel8/x86_64/openstack-tools/15/os',\n 'content/dist/layered/rhel8/x86_64/openstack-tools/15/source/SRPMS',\n 'content/dist/layered/rhel8/x86_64/openstack/15/debug',\n 'content/dist/layered/rhel8/x86_64/openstack/15/os',\n 'content/dist/layered/rhel8/x86_64/openstack/15/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'python3-XStatic-jQuery-3.4.1.0-1.el8ost', 'release':'8', 'el_string':'el8ost', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-XStatic-jQuery');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-07T18:17:10", "description": "The version of pcs installed on the remote host is prior to 0.9.169-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-1905 advisory.\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-24T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : pcs (ALAS-2023-1905)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2023-09-06T00:00:00", "cpe": ["cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:pcs-snmp", "p-cpe:/a:amazon:linux:pcs-debuginfo", "p-cpe:/a:amazon:linux:pcs"], "id": "AL2_ALAS-2023-1905.NASL", "href": "https://www.tenable.com/plugins/nessus/170448", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2023-1905.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170448);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/06\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Amazon Linux 2 : pcs (ALAS-2023-1905)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of pcs installed on the remote host is prior to 0.9.169-3. It is, therefore, affected by a vulnerability as\nreferenced in the ALAS2-2023-1905 advisory.\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2023-1905.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2019-11358.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update pcs' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:pcs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:pcs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:pcs-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'pcs-0.9.169-3.amzn2.3.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-0.9.169-3.amzn2.3.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-0.9.169-3.amzn2.3.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-debuginfo-0.9.169-3.amzn2.3.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-debuginfo-0.9.169-3.amzn2.3.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-debuginfo-0.9.169-3.amzn2.3.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-snmp-0.9.169-3.amzn2.3.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-snmp-0.9.169-3.amzn2.3.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-snmp-0.9.169-3.amzn2.3.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pcs / pcs-debuginfo / pcs-snmp\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-07T15:51:32", "description": "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:5581 advisory.\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-18T00:00:00", "type": "nessus", "title": "RHEL 7 : python-XStatic-jQuery (RHSA-2020:5581)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:python-xstatic-jquery"], "id": "REDHAT-RHSA-2020-5581.NASL", "href": "https://www.tenable.com/plugins/nessus/144388", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5581. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144388);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_bugtraq_id(108023);\n script_xref(name:\"IAVA\", value:\"2019-A-0384\");\n script_xref(name:\"IAVA\", value:\"2020-A-0017\");\n script_xref(name:\"IAVA\", value:\"2020-A-0150\");\n script_xref(name:\"RHSA\", value:\"2020:5581\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 : python-XStatic-jQuery (RHSA-2020:5581)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in\nthe RHSA-2020:5581 advisory.\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or\n property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5581\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1701972\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python-XStatic-jQuery package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-XStatic-jQuery\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/13/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/13/os',\n 'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/13/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/13/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/13/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-octavia/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-octavia/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-octavia/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-optools/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-optools/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-optools/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/13/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack/13/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack/13/os',\n 'content/dist/rhel/server/7/7Server/x86_64/openstack/13/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/source/SRPMS',\n 'content/els/rhel/client/7/7Client/x86_64/openstack-tools/13/debug',\n 'content/els/rhel/client/7/7Client/x86_64/openstack-tools/13/os',\n 'content/els/rhel/client/7/7Client/x86_64/openstack-tools/13/source/SRPMS',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/debug',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/os',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/13/source/SRPMS',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/debug',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/os',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-devtools/13/source/SRPMS',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/debug',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/os',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack-optools/13/source/SRPMS',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack/13/debug',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack/13/os',\n 'content/els/rhel/power-le/7/7Server/ppc64le/openstack/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-deployment-tools/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-devtools/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-devtools/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-devtools/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-octavia/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-octavia/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-octavia/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-optools/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-optools/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-optools/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-tools/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-tools/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack-tools/13/source/SRPMS',\n 'content/els/rhel/server/7/7Server/x86_64/openstack/13/debug',\n 'content/els/rhel/server/7/7Server/x86_64/openstack/13/os',\n 'content/els/rhel/server/7/7Server/x86_64/openstack/13/source/SRPMS',\n 'content/els/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/debug',\n 'content/els/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/os',\n 'content/els/rhel/workstation/7/7Workstation/x86_64/openstack-tools/13/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'python-XStatic-jQuery-2.2.4.1-3.el7ost', 'release':'7', 'el_string':'el7ost', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-XStatic-jQuery');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-07T18:17:05", "description": "The version of Oracle Enterprise Manager Ops Center installed on the remote host is affected by a vulnerability as described in the October 2019 Critical Patch Update (CPU). Vulnerability in the Enterprise Manager Ops Center product of Oracle Enterprise Manager (component: Networking (jQuery)). Supported versions that are affected are 12.3.3 and 12.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Ops Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Enterprise Manager Ops Center, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Ops Center accessible data as well as unauthorized read access to a subset of Enterprise Manager Ops Center accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-12T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Ops Center UI or Other Patch (Oct 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2023-09-07T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager_ops_center"], "id": "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_OCT_2019_CPU_UI.NASL", "href": "https://www.tenable.com/plugins/nessus/169978", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169978);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/07\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"IAVA\", value:\"2019-A-0384\");\n script_xref(name:\"IAVA\", value:\"2020-A-0150\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Oracle Enterprise Manager Ops Center UI or Other Patch (Oct 2019 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An enterprise management application installed on the remote host is\naffected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Enterprise Manager Ops Center installed on the remote host is affected by a vulnerability as\ndescribed in the October 2019 Critical Patch Update (CPU). Vulnerability in the Enterprise Manager Ops Center product\nof Oracle Enterprise Manager (component: Networking (jQuery)). Supported versions that are affected are 12.3.3 and\n12.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise\nEnterprise Manager Ops Center. Successful attacks require human interaction from a person other than the attacker and\nwhile the vulnerability is in Enterprise Manager Ops Center, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of\nEnterprise Manager Ops Center accessible data as well as unauthorized read access to a subset of Enterprise Manager\nOps Center accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.oracle.com/security-alerts/cpuoct2019.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2c94f8e4\");\n # https://www.oracle.com/security-alerts/cpuoct2019verbose.html#EM\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17ac9b74\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2019\nOracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager_ops_center\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_ops_center_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Ops Center\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle_em_ops_center.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\n\nvar constraints = [\n {'min_version': '12.3.3.0', 'max_version': '12.3.3.9999', 'ui_patch': '30295446'},\n {'min_version': '12.4.0.0', 'max_version': '12.4.0.9999', 'ui_patch': '30295450'}\n];\n\nvar app_info = vcf::oracle_em_ops_center::get_app_info();\n\nvcf::oracle_em_ops_center::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-08T15:45:53", "description": "A cross-site scripting vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006 .", "cvss3": {}, "published": "2019-04-22T00:00:00", "type": "nessus", "title": "Debian DSA-4434-1 : drupal7 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4434.NASL", "href": "https://www.tenable.com/plugins/nessus/124205", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4434. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124205);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"DSA\", value:\"4434\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DSA-4434-1 : drupal7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A cross-site scripting vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2019-006 .\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927330\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2019-006\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4434\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the drupal7 packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u8.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-19T13:47:55", "description": "- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "nessus", "title": "Fedora 28 : drupal7 (2019-f563e66380)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal7", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2019-F563E66380.NASL", "href": "https://www.tenable.com/plugins/nessus/124703", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-f563e66380.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124703);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"FEDORA\", value:\"2019-f563e66380\");\n\n script_name(english:\"Fedora 28 : drupal7 (2019-f563e66380)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-f563e66380\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/SA-CORE-2019-006\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"drupal7-7.66-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-19T13:47:56", "description": "The version of JQuery library hosted on the remote web server is prior to 3.4.0. It is, therefore, affected by an object pollution vulnerability in jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", "cvss3": {}, "published": "2019-05-10T00:00:00", "type": "nessus", "title": "JQuery < 3.4.0 Object Prototype Pollution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2019-10-30T00:00:00", "cpe": [], "id": "JQUERY_3_4_0.NASL", "href": "https://www.tenable.com/plugins/nessus/124719", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124719);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/10/30 13:24:46\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_bugtraq_id(108023);\n\n script_name(english:\"JQuery < 3.4.0 Object Prototype Pollution Vulnerability\");\n script_summary(english:\"Checks the version of JQuery.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an object pollution \nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of JQuery library hosted on the remote web\nserver is prior to 3.4.0. It is, therefore, affected by\nan object pollution vulnerability in \njQuery.extend(true, {}, ...) because of Object.prototype\npollution. If an unsanitized source object contained an\nenumerable __proto__ property, it could extend the native\nObject.prototype.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to JQuery version 3.4.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jquery_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/jquery\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = 'jquery';\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_http_port(default:80);\napp_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{'fixed_version':'3.4.0'}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-19T13:50:20", "description": "- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "nessus", "title": "Fedora 29 : drupal7 (2019-a06dffab1c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal7", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-A06DFFAB1C.NASL", "href": "https://www.tenable.com/plugins/nessus/124700", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-a06dffab1c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124700);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"FEDORA\", value:\"2019-a06dffab1c\");\n\n script_name(english:\"Fedora 29 : drupal7 (2019-a06dffab1c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a06dffab1c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/SA-CORE-2019-006\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"drupal7-7.66-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-19T13:48:01", "description": "- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-09T00:00:00", "type": "nessus", "title": "Fedora 30 : drupal7 (2019-2a0ce0c58c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358"], "modified": "2020-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal7", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-2A0CE0C58C.NASL", "href": "https://www.tenable.com/plugins/nessus/124699", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-2a0ce0c58c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124699);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2019-11358\");\n script_xref(name:\"FEDORA\", value:\"2019-2a0ce0c58c\");\n\n script_name(english:\"Fedora 30 : drupal7 (2019-2a0ce0c58c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- https://www.drupal.org/project/drupal/releases/7.66\n\n - https://www.drupal.org/SA-CORE-2019-006\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-2a0ce0c58c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/SA-CORE-2019-006\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"drupal7-7.66-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal7\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-19T13:49:40", "description": "Several security vulnerabilities have been discovered in drupal7, a PHP website platform. The vulnerabilities affect the embedded versions of the jQuery JavaScript library and the Typo3 Phar Stream Wrapper library.\n\nCVE-2019-11358\n\nIt was discovered that the jQuery version embedded in Drupal was prone to a cross site scripting vulnerability in jQuery.extend().\n\nFor additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006.\n\nCVE-2019-11831\n\nIt was discovered that incomplete validation in a Phar processing library embedded in Drupal, a fully-featured content management framework, could result in information disclosure.\n\nFor additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-007.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 7.32-1+deb8u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-21T00:00:00", "type": "nessus", "title": "Debian DLA-1797-1 : drupal7 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-11831"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1797.NASL", "href": "https://www.tenable.com/plugins/nessus/125298", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1797-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125298);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-11358\", \"CVE-2019-11831\");\n\n script_name(english:\"Debian DLA-1797-1 : drupal7 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security vulnerabilities have been discovered in drupal7, a\nPHP website platform. The vulnerabilities affect the embedded\nversions of the jQuery JavaScript library and the Typo3 Phar Stream\nWrapper library.\n\nCVE-2019-11358\n\nIt was discovered that the jQuery version embedded in Drupal was prone\nto a cross site scripting vulnerability in jQuery.extend().\n\nFor additional information, please refer to the upstream\nadvisory at https://www.drupal.org/sa-core-2019-006.\n\nCVE-2019-11831\n\nIt was discovered that incomplete validation in a Phar processing\nlibrary embedded in Drupal, a fully-featured content management\nframework, could result in information disclosure.\n\nFor additional information, please refer to the upstream\nadvisory at https://www.drupal.org/sa-core-2019-007.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n7.32-1+deb8u17.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2019-006\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2019-007\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u17\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-17T16:36:55", "description": "The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2022:7343-1 advisory.\n\n - rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123)\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-10T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : pcs on SL7.x x86_64 (2022:7343)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2022-30123"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:pcs", "p-cpe:/a:fermilab:scientific_linux:pcs-debuginfo", "p-cpe:/a:fermilab:scientific_linux:pcs-snmp"], "id": "SL_20221103_PCS_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/167259", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167259);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-11358\", \"CVE-2022-30123\");\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n script_xref(name:\"RHSA\", value:\"RHSA-2022:7343\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Scientific Linux Security Update : pcs on SL7.x x86_64 (2022:7343)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2022:7343-1 advisory.\n\n - rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123)\n\n - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or\n property injection (CVE-2019-11358)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.scientificlinux.org/category/sl-errata/slsa-20227343-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pcs, pcs-debuginfo and / or pcs-snmp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30123\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:pcs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:pcs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:pcs-snmp\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Scientific Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Scientific Linux');\nvar os_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Scientific Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Scientific Linux 7.x', 'Scientific Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Scientific Linux', cpu);\n\nvar pkgs = [\n {'reference':'pcs-0.9.169-3.el7_9.3', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-debuginfo-0.9.169-3.el7_9.3', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pcs-snmp-0.9.169-3.el7_9.3', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pcs / pcs-debuginfo / pcs-snmp');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-09T14:23:20", "description": "According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is earlier than 5.14.0. It is, therefore, affected by multiple vulnerabilities.\n\nNote that Nessus has not tested for these issues nor the stand-alone patch but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-19T00:00:00", "type": "nessus", "title": "Tenable SecurityCenter < 5.14.0 Multiple Vulnerabilities (TNS-2020-02)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2020-5737"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:tenable:securitycenter"], "id": "SECURITYCENTER_5_14_0_TNS_2020_02.NASL", "href": "https://www.tenable.com/plugins/nessus/146621", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146621);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-11358\", \"CVE-2020-5737\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Tenable SecurityCenter < 5.14.0 Multiple Vulnerabilities (TNS-2020-02)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Tenable SecurityCenter\napplication installed on the remote host is earlier than 5.14.0. It is,\ntherefore, affected by multiple vulnerabilities.\n\nNote that Nessus has not tested for these issues nor the stand-alone\npatch but has instead relied only on the application's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2020-02\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Tenable SecurityCenter version 5.14.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\", \"securitycenter_detect.nbin\");\n script_require_ports(\"Host/SecurityCenter/Version\", \"installed_sw/SecurityCenter\");\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, dont_exit:TRUE);\napp_info = vcf::tenable_sc::get_app_info(port:port);\n\nconstraints = [\n {'fixed_version':'5.14.0', 'fixed_display':'5.14.1'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:36", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7343 advisory.\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\n - rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-03T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : pcs (ELSA-2022-7343)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2022-30123"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:pcs", "p-cpe:/a:oracle:linux:pcs-snmp"], "id": "ORACLELINUX_ELSA-2022-7343.NASL", "href": "https://www.tenable.com/plugins/nessus/166935", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-7343.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166935);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-11358\", \"CVE-2022-30123\");\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Linux 7 : pcs (ELSA-2022-7343)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-7343 advisory.\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\n - rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-7343.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pcs and / or pcs-snmp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11358\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30123\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/03\"