CVE-2023-24621

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed...

CVE-2023-24621

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed...

Deserialization of untrusted data

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed...

CVE-2023-24621

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed...

Esoteric Software YamlBeans 代码问题漏洞

YamlBeans is an open source library from Esoteric Software. Can easily Java object graph with YAML. A security vulnerability exists in Esoteric Software YamlBeans 1.15 and earlier versions that stems from allowing untrusted deserialization of Java classes...

PT-2023-19713 · Unknown · Esoteric Yamlbeans

Name of the Vulnerable Software and Affected Versions: Esoteric YamlBeans versions through 1.15 Description: An issue was discovered in Esoteric YamlBeans that allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document...

CVE-2023-24621

CVE-2023-24621 concerns Esoteric YamlBeans up to version 1.15, where untrusted deserialization to Java classes is possible by default because the data and class are controlled by the author of the YAML document. The public descriptions consistently describe this as a deserialization vulnerability...

CVE-2023-24621

An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed...

Server side request forgery (ssrf)

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the pathb parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs...

CVE-2023-38334

Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis...

CVE-2023-38334

Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis...

CVE-2023-38334

Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis...

PT-2023-26368 · Omnis · Omnis Studio

Name of the Vulnerable Software and Affected Versions: Omnis Studio version 10.22.00 Description: The issue is related to incorrect access control in Omnis Studio. It has a feature for locking classes within Omnis libraries, which should make it impossible to delete, view, change, copy, rename,...

CVE-2023-38334

Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis...

Sensitive Data Exposure

Ransack is vulnerable to Sensitive Data Exposure Vulnerability. The vulnerability is due to allowing the default behavior of unsafe searching and querying on all class attributes and associations leading to sensitive attributes exposure of classes used in application. This can lead to fully...

GHSA-3Q76-JQ6M-573P Archive_Tar contains Potential RCE if filename starts with phar://

PEAR ArchiveTar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the ArchiveTar class. There are several file operations with $vheader'filename' as parameter such as fileexists, isfile, isdir, etc. When extract is called without a specific prefix path, we can trigger...

June 23, 2023—KB5028623 (OS Build 14393.5996) Out-of-band

June 23, 2023—KB5028623 OS Build 14393.5996 Out-of-band 11/19/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1607, see its update history page. Highlights This...

Deserialization of untrusted data

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processin...

ALSA-2023:3595 Important: python3.9 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

Discourse 信息泄露漏洞

Discourse is an open source community discussion platform. The platform includes features such as communities, email and chat rooms. An information disclosure vulnerability exists in Discourse versions 3.0.3 stable and earlier, and 3.1.0.beta5 and earlier, which can be exploited by an attacker to...