Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)

Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware subcomponent: Advanced UI Apache Groovy due to a lack of isolation of object...

Spring Boot < 1.2.8 / 1.3.0 Whitelabel Error Page Remote Code Execution

Pivotal Spring Boot is a Java framework designed to help developers create minimal Spring based applications. Spring applications provide the Spring Expression Language SpEL which is a powerful expression language for querying and manipulating an object graph at runtime. Spring Boot versions belo...

CVE-2020-5405

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...

Potential sensitive data exposure in applications using Vaadin 15

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 Vaadin 15.0.0 through 15.0.4 may expose sensitive data if the application also uses e.g. @RestController See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Description The...

Exploit for Path Traversal in Pivotal_Software Spring_Framework

Web-Security-Learning 项目地址： https://github.com/CHYbeta/Web-Security-Learning 最近更新日期为：2018/10/31。 同步更新于： chybeta: Web-Security-Learning 目录： - Web-Security-Learning - Web Security - sql注入 - MySql - MSSQL - PostgreSQL - MongoDB - 技巧 - 工具 - XSS - CSRF - 其他前端安全 - SSRF - XXE - JSONP注入 - SSTI - 代码执行 /...

jackson-databind: Serialization gadgets in org.springframework:spring-aop

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Quarterly Report: Incident Response trends in Spring 2020

By David Liebenberg. Cisco Talos Incident Response CTIR engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report, ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to...

spring-board.info Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1142787 Security Researcher 4NCURZE Helped patch 1412 vulnerabilities Received 7 Coordinated Disclosure badges Received 12 recommendations , a holder of 7 badges for responsible and coordinated disclosure, found a security vulnerability affecting spring-board.info website...

Exploit for Path Traversal in Pivotal_Software Spring_Framework

Web-Security-Learning 项目地址： https://github.com/CHYbeta/Web-Security-Learning 最近更新日期为：2018/10/31。 同步更新于： chybeta: Web-Security-Learning 目录： - Web-Security-Learning - Web Security - sql注入 - MySql - MSSQL - PostgreSQL - MongoDB - 技巧 - 工具 - XSS - CSRF - 其他前端安全 - SSRF - XXE - JSONP注入 - SSTI - 代码执行 /...

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

DEBIAN-CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

Design/Logic Flaw

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

UBUNTU-CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...

CVE-2020-11619

CVE-2020-11619 affects Jackson Databind 2.x before 2.9.10.4 and is caused by mishandling the interaction between serialization gadgets and typing (related to spring-aop). This deserialization issue can lead to arbitrary code execution when a crafted JSON is processed, as described in IBM/ISIQ con...

NCSA Small Business Webinar Series

Working from home? How do you keep your employees cyber-safe and cyber-secure? How do you protect your reputation, profit, and cash flow when you depend on your IT infrastructure as never before? The National Cyber Security Alliance is hosting a series of webinars for small business owners, and...

CVE-2019-3772

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

LY Corporation: Spring Actuator endpoints publicly available and broken authentication

Due to insufficient access control, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. @kazan71p identified two highly sensitive applications leaking information through these endpoints. The LINE Security team shutdown the secondary endpoints just as it was discovere...