XWork in Apache Struts Reveals Sensitive Information

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

OSV-2022-385 Uncaught exception in jaz.Zer.<clinit>

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47116 Crash type: Uncaught exception Crash state: jaz.Zer. java.base/java.lang.Class.forName0 java.base/java.lang.Class.forName...

USN-5313-1: OpenJDK vulnerabilities

It was discovered that OpenJDK incorrectly handled deserialization filters. An attacker could possibly use this issue to insert, delete or obtain sensitive information. CVE-2022-21248 It was discovered that OpenJDK incorrectly read uncompressed TIFF files. An attacker could possibly use this issu...

ColdFusion verifyldapserver vulnerability

Added: 03/07/2022 Background Adobe ColdFusion is a web application development platform written in Java. Problem The verifyldapserver method in utils.cfc allows a remote attacker to cause the server to download a Java class from an arbitrary LDAP server, leading to remote code execution. Resoluti...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

vuln4japi A vulnerable Java based REST API for demonstrating C...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4shell.tools !buildhttps://github.com/alexbakker/log4sh...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

CVE-2021-44228 A Zeek package which raises notices, tags HTTP...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Python Log4RCE An all-in-one pure Python3 PoC for CVE-2021-4...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Python Log4RCE An all-in-one pure Python3 PoC for CVE-2021-4...

Aiven Ltd: Apache Flink RCE via GET jar/plan API Endpoint

Summary: Aiven has not restricted access to the GET jars/jarid/plan API. This endpoint can be used to load java class files with the specified arguments that are in the java classpath on the server. This can be abused to gain RCE on the Apache Flink Server. Steps To Reproduce: The video below sho...

CVE-2021-23262

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE...

CVE-2021-23262

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE...

Security feature bypass

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE...

CVE-2021-23262 Snakeyaml deserialization vulnerability bypass

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE...

Code injection

The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format...

OX App Suite / Ox Documents 7.10.x XSS / Code Injection / Traversal Vulnerability

OX App Suite and OX Documents suffer from cross site scripting, code injection, path traversal, and input validation vulnerabilities. Most of these issues affect 7.10.5 and below with one affecting 7.10.4 and below. Product: OX App Suite, OX Documents Vendor: OX Software GmbH Internal reference:...

Advantech iView CommandServlet Directory Traversal (CVE-2021-22656)

A directory traversal vulnerability exists in the Advantech iView. The vulnerability is due to improper validation of user-supplied path when processing the request in CommandServlet Java class...

CVE-2021-39181

OpenOlat is a web-based learning management system LMS. Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file e.g. a course any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the...

XStream Arbitrary Code Execution Vulnerability (CNVD-2021-67820)

XStream is an open source Java class library that is mainly used to serialize objects to XML JSON or deserialize them to objects.XStream 1.4.17 and earlier versions have an arbitrary code execution vulnerability that can be exploited by attackers to cause arbitrary code execution...

XStream Denial of Service Vulnerability (CNVD-2021-67829)

XStream is an open source Java class library that is mainly used to serialize objects to XML JSON or deserialize them to objects.XStream 1.4.17 and earlier versions have an arbitrary code execution vulnerability that can be exploited by attackers to cause a denial of service...