65 matches found
CVE-2018-20059
CVE-2018-20059 concerns Pippo 1.11.0 where jaxb/JaxbEngine.java allows XML External Entity (XXE) processing. The issue arises from the XML parser not disabling external DTD usage, enabling potential XXE attacks. Connected advisories (GHSA-RMM5-G63H-M6G9, VERACODE, Red Hat/OSV entries) corroborate...
com.gitblit.fathom:fathom-integration-test (>=0.5.0 <=1.0.1), com.gitblit.fathom:fathom-mailer (>=0.5.0 <=1.0.1) +72 more potentially affected by CVE-2018-18628 via ro.pippo:pippo-core (>=0.4.0 <=1.11.0)
ro.pippo:pippo-core MAVEN version =0.4.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.2, =0.8.1, =0.8.4, =0.8.0, =0.8.0, =0.2.3, =0.4.0, =0.4.0, =1.11.0 and more Source cves: CVE-2018-18628 Source advisory: OSV:GHSA-7FM6-2QW4-G3X3...
GHSA-7FM6-2QW4-G3X3 Deserialization of Untrusted Data in Pippo
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
Deserialization of Untrusted Data in Pippo
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
io.andromeda:lyricist (>=0.2.3 <=0.2.4), io.andromeda:lyricist-demo (=0.2.3) +5 more potentially affected by CVE-2017-18349 via ro.pippo:pippo-fastjson (>=0.4.0 <=0.9.1)
ro.pippo:pippo-fastjson MAVEN version =0.4.0, =0.2.3, =0.6.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.6.1 Source cves: CVE-2017-18349 Source advisory: OSV:GHSA-XJRR-XV9M-4PW5...
Improper Input Validation in alilibaba:fastjson
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
GHSA-XJRR-XV9M-4PW5 Improper Input Validation in alilibaba:fastjson
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
Pippo FastjsonEngine Fastjson Arbitrary Code Execution Vulnerability
Pippo is a Java-based Web framework . FastjsonEngine is one of the JSON processing engine . Fastjson is one of the Java-based JSON parser/generator . Pippo 1.11.0 version of FastjsonEngine used by Fastjson 1.2.25 before the version of parseObject has a security vulnerability. A remote attacker ca...
Pippo Java Deserialization Vulnerability
Pippo is a Java-based Web framework . A security vulnerability exists in Pippo version 1.11.0, which stems from the 'SerializationSessionDataTranscoder.decode' function failing to check the type of a SessionData object before calling the 'ObjectInputStream.readObject' function for deserialization...
CVE-2017-18349
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
Cross site request forgery (csrf)
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
Design/Logic Flaw
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
CVE-2018-18628
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
CVE-2018-18628
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
CVE-2017-18349
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
CVE-2018-18628
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...
CVE-2017-18349
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...
CVE-2018-18628
Pippo 1.11.0 is affected by CVE-2018-18628. The issue arises in SerializationSessionDataTranscoder.decode(), which calls ObjectInputStream.readObject() to deserialize a SessionData object without verifying object types. An attacker can craft a malicious object, base64-encode it, and place it in t...
Improper Input Validation
Fastjson allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java...
Pippo Remote Code Execution Vulnerability
Pippo is a Java-based Web framework . A remote code execution vulnerability exists in Pippo 1.11.0 and earlier versions, which stems from the XstreamEngine component failing to use the defense mechanisms available to XStream to limit anti-grouping, and can be exploited by a remote attacker to...