168 matches found
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 o...
Code injection via property expansion in SoapUI
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file...
Improper Control of Generation of Code in HawtJNI
Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp...
Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML...
GHSA-W7F2-GJXF-2GM9 Improper Neutralization of Special Elements used in a Command in Apache Cassandra
The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request...
Missing Authentication for Critical Function in Apache Cassandra
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in...
CVE-2021-41269 Unauthenticated remote code injection in cron-utils
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code...
Deserialization of untrusted data
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys...
Atlassian Jira 代码注入漏洞
Atlassian Jira is a defect tracking management system from Atlassian Australia. The system is used to track and manage all types of issues and defects in the workplace. A security vulnerability exists in Atlassian Jira that can be exploited by a remote attacker with a "Jira administrator" to acce...
Updated velocity packages fix security vulnerability
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...
PT-2021-9474 · Alfresco · Alfresco Enterprise Content Management
Name of the Vulnerable Software and Affected Versions: Alfresco Enterprise Content Management ECM versions prior to 6.2.1 Description: An issue was discovered that allows a user with privileges to edit a FreeMarker template to execute arbitrary Java code or run arbitrary system commands with the...
USN-4584-1 htmlunit vulnerability
It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code...
SAP NetWeaver AS Java Multiple XSS (2953112)
The version of SAP NetWeaver AS Java detected on the remote host may be affected by multiple cross-site scripting vulnerabilities, as follows: - SAP NetWeaver Application Server JAVA XML Forms versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an...
CVE-2020-6326
SAP NetWeaver Knowledge Management, version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting...
CVE-2020-6326
SAP NetWeaver Knowledge Management, version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting...
keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution...
CVE-2020-9297
Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary...
Code injection
Netflix Titus uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passe...
CVE-2020-5529
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is...
HtmlUnit Code Execution Vulnerability
HtmlUnit is a Java-based library . A code execution vulnerability exists in HtmlUnit that can be exploited by an attacker to execute arbitrary Java code...