Lucene search
K

10 matches found

Github Security Blog
Github Security Blog
added 2018/12/19 7:24 p.m.23 views

Improper Restriction of XML External Entity Reference in pippo-core

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE...

9.8CVSS2.7AI score0.015EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2018/12/11 10:29 a.m.17 views

CVE-2018-20059

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE...

9.8CVSS6.8AI score
Exploits0References1
NVD
NVD
added 2018/12/11 10:29 a.m.19 views

CVE-2018-20059

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE...

9.8CVSS9.4AI score0.015EPSS
Exploits1References1
Cvelist
Cvelist
added 2018/12/11 10:0 a.m.15 views

CVE-2018-20059

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE...

9.5AI score0.015EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2018/10/24 7:42 p.m.49 views

Improper Input Validation in alilibaba:fastjson

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS6.1AI score0.3897EPSS
Exploits2References6Affected Software2
Prion
Prion
added 2018/10/23 8:29 p.m.18 views

Design/Logic Flaw

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

10CVSS9.7AI score0.05482EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2018/10/23 8:29 p.m.31 views

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS9.6AI score0.3897EPSS
Exploits2References3
NVD
NVD
added 2018/10/23 8:29 p.m.24 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

10CVSS9.7AI score0.05482EPSS
Exploits1References1
OSV
OSV
added 2018/10/23 8:29 p.m.11 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

9.8CVSS9.7AI score
Exploits0References1
Cvelist
Cvelist
added 2018/10/23 8:0 p.m.28 views

CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

9.8AI score0.05482EPSS
Exploits1References1
Rows per page
Query Builder