48 matches found
IntegratedScripting 注入漏洞
IntegratedScripting is a Cyclops open source for creating scripts for handling complex operations in integrated dynamics. IntegratedScripting suffers from an injection vulnerability that stems from escaping the JavaScript sandbox via Java reflection on a thrown exception object to construct...
The Bug Report - June 2024 Edition
The Bug Report - June 2024 Edition By Jonathan Omakun & Tobi Olawale · June 27, 2024 Why am I Here Welcome back to The Bug Report, the "so hot the server fans are sweating" edition! For those who are new to our monthly adventure, every month, our dedicated Advanced Research Center vulnerability...
CVE-2021-30179
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API...
CVE-2021-30179
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API...
Deserialization of untrusted data
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API...
ysoserial
This is a Java tool called ysoserial, which is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool is designed to create payloads that can be used to execute arbitrary code on a Java application that performs unsafe deserialization of objects...
CVE-2020-5604
Android App 'Mercari' Japan version prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView...
Design/Logic Flaw
Android App 'Mercari' Japan version prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView...
CVE-2020-5604
CVE-2020-5604 affects the Android App “Mercari” (Japan version) prior to version 3.52.0. The vulnerability arises from inadequate restrictions on addJavascriptInterface in WebView, enabling a remote attacker to trigger arbitrary Java method execution via Java Reflection API from JavaScript code o...
CVE-2020-5604
Android App 'Mercari' Japan version prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView...
JVN#93167107: Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object
Android App "Mercari" Japan version provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution CWE-749 due to inadequate restrictions on addJavascriptInterface of WebView class. Impact An arbitrary method of a Java object may be executed by a remote attacker...
HPE Intelligent Management Center (IMC) TopoMsgServlet Java Reflection Remote Code Execution Vulnerability
HPE Intelligent Management Center IMC is a comprehensive management platform built from the ground up to support the Failure, Configuration, Accounting, Performance and Security FCAPS model. A TopoMsgServlet Java reflection remote code execution vulnerability exists in HPE Intelligent Management...
Security Bulletin: IBM Cúram Social Program Management is vulnerable to Java reflection attack(CVE-2014-8903).
Summary IBM Cúram Social Program Management is vulnerable to Java reflection attack caused by external input that is used to specify a class. A remote attacker could exploit this vulnerability by injecting arbitrary class names which will be subsequently loaded. Vulnerability Details CVE-2014-890...
Android WebView remote code execution vulnerability analysis-vulnerability warning-the black bar safety net
In the past period of time, the WebView remote code execution vulnerability can be said to be swept a large number of the Android App query some vulnerabilities of the platform can be substantially the case, given the many loopholes in the App and not disclosed, and therefore WebVeiw remote code...
Apache Commons Collections 'InvokerTransformer.java'远程代码执行漏洞
Apache Commons Collections背景介绍 Apache Commons Collections 是一个扩展了Java标准库里的Collection结构的第三方基础库,它提供了很多强有力的数据结构类型并且实现了各种集合工具类。作为Apache开源项目的重要组件,Commons Collections被广泛应用于各种Java应用的开发。 Apache Commons Collections漏洞原理 Map类是存储键值对的数据结构,Apache Commons...
Researchers Divulge 30 Oracle Java Cloud Service Bugs
Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed more than two dozen outstanding issues with the company’s Java Cloud Service platform. Researchers at Security Explorations published two reports, complete with proof of concept codes, explaining 30 different...
Design/Logic Flaw
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application...
Android Browser and WebView addJavascriptInterface Code Execution
This Metasploit module exploits a privilege escalation issue in Android versions prior 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs...
Android Browser / WebView addJavascriptInterface Code Execution
This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 "Android", :arch = ARCHARMLE, :javascript = true, :rank = ExcellentRanking, :vulntest = %Q| for i in top try...
JDK: java.lang.reflect.Method invoke() code execution
Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and earlier, Java 6.0.1 SR3 and earlier, Java 6 SR11 and earlier, Java 5 SR14 and earlier, and Java 142 SR13 FP13 and earlier; as used in IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600,...