CVE-2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to...

Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE

The remote web server hosts a version of Jenkins or Jenkins Enterprise that is prior to 1.638 or 1.625.2. It is, therefore, affected by a flaw in the Apache Commons Collections ACC library that allows the deserialization of unauthenticated Java objects. An unauthenticated, remote attacker can...

Potential Remote Code Execution Via Java Object Deserialization

Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable...

CA20150407-01: Security Notice for CA Spectrum

-----BEGIN PGP SIGNED MESSAGE----- CA20150407-01: Security Notice for CA Spectrum Issued: April 7, 2015 CA Technologies Support is alerting customers to multiple potential risks with CA Spectrum. Two vulnerabilities exist that can potentially allow a remote authenticated attacker to gain sensitiv...

KLA10537 Multiple vulnerabilities in CA Spectrum

Multiple serious vulnerabilities have been found in CA Spectrum. Malicious users can exploit these vulnerabilities to gain privileges or inject arbitrary code. Below is a complete list of vulnerabilities 1. Improper data serialization can be exploited remotely via a specially designed Java object...

JBoss JMXInvokerServlet JMXInvoker 0.3 remote command execution vulnerability-vulnerability warning-the black bar safety net

/ JBoss JMXInvokerServlet Remote Command Execution JMXInvoker.java v0. 3 - Luca Carettoni @ikki This code exploits a common misconfiguration in the JBoss Application Server 4. x, 5. x, .... Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"...

JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution

JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution / JBoss JMXInvokerServlet Remote Command Execution JMXInvoker.java v0.3 - Luca Carettoni @ikki This code exploits a common misconfiguration in JBoss Application Server 4.x, 5.x, .... Whenever the JMX Invoker is exposed with the...

Android WebView addJavascriptInterface Arbitrary Java Method Access

Added: 02/11/2014 CVE: CVE-2013-4710 OSVDB: 97520 Background Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the...

Android WebView addJavascriptInterface Arbitrary Java Method Access

Added: 02/11/2014 CVE: CVE-2013-4710 OSVDB: 97520 Background Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the...

OpenJDK: SerialJavaObject package restriction (JDBC, 8009554)

Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous...

OpenJDK: SerialJavaObject package restriction (JDBC, 8009554)

Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous...

OpenJDK: SerialJavaObject package restriction (JDBC, 8009554)

Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous...

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object...

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object...

CVE-2012-0393

CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...

CVE-2009-1837

Race condition in the NPObjWrapperNewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for...

CVE-2002-1295

The CVE-2002-1295 entry concerns the Microsoft Java VM used by Internet Explorer. The vulnerability arises when HTML applet tags bypass Java class restriction checks by supplying the class name in the code parameter, allowing remote attackers to cause a crash (denial of service) and potentially p...

Очередная уязвимость в Internet Explorer &#40;Java Object&#41;

Через OBJECT c CLASSID="JAVA" можно обращаться к локальным документам...

Очередная серьезная дырка в Internet Explorer &#40;Microsoft VM ActiveX Component&#41;

Один из встроенных JAVA-объектов позволяет выполнение любых ActiveX-компонент, в т.ч. не помеченные как безопасные...

Microsoft Virtual Machine 2000310032003300 Series - com.ms.activeX.ActiveXComponent Arbitrary Program Execution

Microsoft Virtual Machine 2000310032003300 Series - com.ms.activeX.ActiveXComponent Arbitrary Program Execution source: https://www.securityfocus.com/bid/1754/info If a malicious website operator were to embed a specially crafted java object into a HTML document, it would be possible to execute...