Authorization

A missing authorization check in multiple SOAP endpoints of the Insider Threat Management Server enables an attacker on an adjacent network to read and write unauthorized objects. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before...

CVE-2023-35998 ITM Server Missing Authorization in SOAP Endpoints

A missing authorization check in multiple SOAP endpoints of the Insider Threat Management Server enables an attacker on an adjacent network to read and write unauthorized objects. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before...

CVE-2023-35998 ITM Server Missing Authorization in SOAP Endpoints

A missing authorization check in multiple SOAP endpoints of the Insider Threat Management Server enables an attacker on an adjacent network to read and write unauthorized objects. Successful exploitation requires an attacker to first obtain a valid agent authentication token. All versions before...

The vulnerability of the “Add UCS Device” function in the OpManager network monitoring software, including OpManager MSP and OpManager Plus, allows a attacker to perform an SSRF attack.

The vulnerability of the “Add UCS Device” function in OpManager’s network monitoring software, including OpManager MSP and OpManager Plus, is related to incorrect restrictions on XML links to external objects. Exploiting this vulnerability could allow a malicious actor to perform an SSRF attack...

Deserialization Of Untrusted Data

kredis is vulnerable to Deserialization Of Untrusted Data. The vulnerability exists in castvalue function at json.rb which allows an attacker to parse crafted JSON data possibly resulting in deserialization of unexpected objects in the system...

CVE-2023-26436

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processin...

CVE-2023-26436

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processin...

Open-Xchange AppSuite 代码问题漏洞

Open-Xchange AppSuite is a set of Web cloud desktop environments from Open-Xchange Germany. The environment allows users to manage email, tasks, files, etc. more intuitively. A code issue vulnerability exists in Open-Xchange App Suite that stems from the ability to inject serialized Java objects,...

json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘‘ or ‘‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed...

Code injection

Documents were incorrectly assuming an ordering of principal objects when ensuring we were loading an appropriately privileged principal. In certain circumstances it might have been possible to cause a document to be loaded with a higher privileged principal than intended. This vulnerability...

CLSA-2023-1686859492 php: Fix of 3 CVEs

CVE-2022-31628: Fix potential infinite recursion in phar wrapper when using quine gzip file - CVE-2022-31629: Add cookie integrity validation - CVE-2022-31631: Fix integer overflow that could cause PDO::quote to return an improperly quoted string...

jjson vulnerable to stack exhaustion

An issue was discovered jjson through 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures...

GHSA-75M3-F4HR-2VH9 jjson vulnerable to stack exhaustion

An issue was discovered jjson through 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures...

GHSA-MX27-GG24-H2JC ph-json vulnerable to stack exhaustion

An issue was discovered ph-json through 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...

JSONUtil vulnerable to stack exhaustion

An issue was discovered JSONUtil through 5.0 that allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures...

htmlcleaner vulnerable to stack exhaustion

An issue was discovered htmlcleaner through version 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...

jsonij vulnerable to stack exhaustion

An issue was discovered jmarsden/jsonij through 0.5.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...

genson vulnerable to stack exhaustion

An issue was discovered genson through 1.6 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures...

ph-json vulnerable to stack exhaustion

An issue was discovered ph-json through 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...

GHSA-JV4X-J47Q-6QVP htmlcleaner vulnerable to stack exhaustion

An issue was discovered htmlcleaner through version 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...