63 matches found
UBUNTU-CVE-2019-12400
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this...
Xxe
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked...
Security Bulletin: Vulnerabilities affect Document Builder component in IBM Rational Publishing Engine (CVE-2016-2912, CVE-2016-2914)
Summary Vulnerabilities in the IBM Rational Publishing Engine affects the Document Builder RPENG. Vulnerability Details CVEID: CVE-2016-2912 DESCRIPTION: IBM Rational Publishing Engine is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker...
CVE-2016-2914
Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specifying an unexpected file extension...
CVE-2016-2912
Cross-site scripting XSS vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...
CVE-2016-2912
Cross-site scripting XSS vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...
Unrestricted file upload
Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specifying an unexpected file extension...
Cross site scripting
Cross-site scripting XSS vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...
CVE-2016-2912
Cross-site scripting XSS vulnerability in the Document Builder in IBM Rational Publishing Engine aka RPENG 2.0.1 before ifix002 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...
PicketLink: XXE via insecure DocumentBuilderFactory usage
It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the...
PicketLink: XXE via insecure DocumentBuilderFactory usage
It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the...
PT-2014-5400 · Red Hat · Red Hat Enterprise Virtualization Manager
Name of the Vulnerable Software and Affected Versions: Red Hat Enterprise Virtualization Manager versions prior to 3.4.2 Description: The issue is related to an XML External Entity XXE problem, where the oVirt Engine backend module uses an insecure DocumentBuilderFactory. This allows remote...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
PicketLink: XXE via insecure DocumentBuilderFactory usage
It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...
OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018)
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the...