Critical: Red Hat Security Advisory: JBoss Enterprise Application Platform 5.2.0 security update

An update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language EL injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData...

CVE-2018-14667

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language EL injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. Recen...

Moment.js < 2.19.3 Regular Expression Denial of Service

According to its self-reported version number, Moment.js is prior to 2.19.3. Therefore, it may be affected by a regular expression denial of service vulnerability when parsing dates as string. Note that the scanner has not tested for these issues but has instead relied only on the application's...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2014-7810)

Summary IBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Consult the security bulletin, Security Bulletin:...

RHEL 7 : python (RHSA-2018:3041)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:3041 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life...

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server bundled with IBM WebSphere Application Server Patterns

Summary WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in multiple security bulletins. Vulnerability Details Please consult the following...

GHSA-8FX9-5HX8-CRHM Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal

In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack...

RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language EL expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310...

UBUNTU-CVE-2018-18385

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

Code injection

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

CVE-2018-18385

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

ReDoS via long string of semicolons in tough-cookie

Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header. Recommendation Update to version 2.3.0 or later...

GHSA-HXM2-R34F-QMC5 Regular Expression Denial of Service in minimatch

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatchpath, pattern. Proof of Concept js var minimatch = require“minimatch”; // utility function for generating long strings var genstr = functio...

Regular Expression Denial of Service in minimatch

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatchpath, pattern. Proof of Concept js var minimatch = require“minimatch”; // utility function for generating long strings var genstr = functio...

Regular Expression Denial of Service in negotiator

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value. Recommendation Update to version 0.6.1 or later...

Denial of Service in protobufjs

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid .proto files. Recommendation Update to version 5.0.3, 6.8.6 or later...

CVE-2018-17984

An unanchored /a-z2/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access...

CVE-2018-17984

CVE-2018-17984 affects ISPConfig prior to 3.1.13, where an unanchored /[a-z]{2}/ regular expression enables arbitrary file inclusion, potentially leading to code execution. The issue is exploitable by authenticated users with local filesystem access, allowing execution in the security context of ...