Lucene search
+L

65 matches found

CVE
CVE
added 2018/12/11 10:0 a.m.76 views

CVE-2018-20059

CVE-2018-20059 concerns Pippo 1.11.0 where jaxb/JaxbEngine.java allows XML External Entity (XXE) processing. The issue arises from the XML parser not disabling external DTD usage, enabling potential XXE attacks. Connected advisories (GHSA-RMM5-G63H-M6G9, VERACODE, Red Hat/OSV entries) corroborate...

9.8CVSS9.4AI score0.015EPSS
Exploits1References1Affected Software1
vulnersOsv
vulnersOsv
added 2018/10/24 7:46 p.m.6 views

com.gitblit.fathom:fathom-integration-test (>=0.5.0 <=1.0.1), com.gitblit.fathom:fathom-mailer (>=0.5.0 <=1.0.1) +72 more potentially affected by CVE-2018-18628 via ro.pippo:pippo-core (>=0.4.0 <=1.11.0)

ro.pippo:pippo-core MAVEN version =0.4.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.2, =0.8.1, =0.8.4, =0.8.0, =0.8.0, =0.2.3, =0.4.0, =0.4.0, =1.11.0 and more Source cves: CVE-2018-18628 Source advisory: OSV:GHSA-7FM6-2QW4-G3X3...

10CVSS7.8AI score0.05482EPSS
Exploits1
OSV
OSV
added 2018/10/24 7:46 p.m.24 views

GHSA-7FM6-2QW4-G3X3 Deserialization of Untrusted Data in Pippo

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

9.8CVSS9.7AI score0.05482EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2018/10/24 7:46 p.m.37 views

Deserialization of Untrusted Data in Pippo

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

10CVSS3.1AI score0.05482EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2018/10/24 7:42 p.m.8 views

io.andromeda:lyricist (>=0.2.3 <=0.2.4), io.andromeda:lyricist-demo (=0.2.3) +5 more potentially affected by CVE-2017-18349 via ro.pippo:pippo-fastjson (>=0.4.0 <=0.9.1)

ro.pippo:pippo-fastjson MAVEN version =0.4.0, =0.2.3, =0.6.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.6.1 Source cves: CVE-2017-18349 Source advisory: OSV:GHSA-XJRR-XV9M-4PW5...

10CVSS7.2AI score0.3897EPSS
Exploits2
Github Security Blog
Github Security Blog
added 2018/10/24 7:42 p.m.50 views

Improper Input Validation in alilibaba:fastjson

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS6.1AI score0.3897EPSS
Exploits2References6Affected Software2
OSV
OSV
added 2018/10/24 7:42 p.m.8 views

GHSA-XJRR-XV9M-4PW5 Improper Input Validation in alilibaba:fastjson

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

9.8CVSS7.6AI score0.3897EPSS
Exploits2References7
CNVD
CNVD
added 2018/10/24 12:0 a.m.7 views

Pippo FastjsonEngine Fastjson Arbitrary Code Execution Vulnerability

Pippo is a Java-based Web framework . FastjsonEngine is one of the JSON processing engine . Fastjson is one of the Java-based JSON parser/generator . Pippo 1.11.0 version of FastjsonEngine used by Fastjson 1.2.25 before the version of parseObject has a security vulnerability. A remote attacker ca...

10CVSS9.6AI score0.3897EPSS
Exploits2References1
CNVD
CNVD
added 2018/10/24 12:0 a.m.5 views

Pippo Java Deserialization Vulnerability

Pippo is a Java-based Web framework . A security vulnerability exists in Pippo version 1.11.0, which stems from the 'SerializationSessionDataTranscoder.decode' function failing to check the type of a SessionData object before calling the 'ObjectInputStream.readObject' function for deserialization...

10CVSS9.4AI score0.05482EPSS
Exploits1References1
NVD
NVD
added 2018/10/23 8:29 p.m.32 views

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS9.6AI score0.3897EPSS
Exploits2References3
Prion
Prion
added 2018/10/23 8:29 p.m.14 views

Cross site request forgery (csrf)

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS9.6AI score0.3897EPSS
Exploits2References3Affected Software2
Prion
Prion
added 2018/10/23 8:29 p.m.20 views

Design/Logic Flaw

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

10CVSS9.7AI score0.05482EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2018/10/23 8:29 p.m.25 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

10CVSS9.7AI score0.05482EPSS
Exploits1References1
OSV
OSV
added 2018/10/23 8:29 p.m.12 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

9.8CVSS9.7AI score
Exploits0References1
OSV
OSV
added 2018/10/23 8:29 p.m.23 views

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

9.8CVSS9.6AI score
Exploits0References3
Cvelist
Cvelist
added 2018/10/23 8:0 p.m.30 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

9.8AI score0.05482EPSS
Exploits1References1
Cvelist
Cvelist
added 2018/10/23 8:0 p.m.28 views

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

9.6AI score0.3897EPSS
Exploits2References3
CVE
CVE
added 2018/10/23 8:0 p.m.83 views

CVE-2018-18628

Pippo 1.11.0 is affected by CVE-2018-18628. The issue arises in SerializationSessionDataTranscoder.decode(), which calls ObjectInputStream.readObject() to deserialize a SessionData object without verifying object types. An attacker can craft a malicious object, base64-encode it, and place it in t...

10CVSS9.7AI score0.05482EPSS
Exploits1References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2018/10/23 12:0 a.m.62 views

Improper Input Validation

Fastjson allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java...

10CVSS6.6AI score0.3897EPSS
Exploits2References1Affected Software1
CNVD
CNVD
added 2018/10/15 12:0 a.m.7 views

Pippo Remote Code Execution Vulnerability

Pippo is a Java-based Web framework . A remote code execution vulnerability exists in Pippo 1.11.0 and earlier versions, which stems from the XstreamEngine component failing to use the defense mechanisms available to XStream to limit anti-grouping, and can be exploited by a remote attacker to...

9.8CVSS9.7AI score0.03653EPSS
Exploits1References1
Rows per page
Query Builder