Lucene search
+L

439 matches found

Cvelist
Cvelist
added 2018/06/11 5:0 p.m.34 views

CVE-2017-3202 The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

9.6AI score0.0821EPSS
Exploits2References4
Cvelist
Cvelist
added 2018/06/11 5:0 p.m.28 views

CVE-2017-3206 The Action Message Format (AMF3) deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, deni...

9.5AI score0.0368EPSS
Exploits2References4
CVE
CVE
added 2018/06/11 5:0 p.m.55 views

CVE-2017-3206

CVE-2017-3206 affects Flamingo amf-serializer (Exadel) AMF3 deserializers; version 2.2.0 is vulnerable to XML External Entity (XXE) references from XML in AMF3 messages, potentially exposing data, causing DoS, or enabling SSRF. Remediation: apply an update to a newer version where XXE is addresse...

9.8CVSS9.5AI score0.0368EPSS
Exploits2References4Affected Software1
Node.js
Node.js
added 2018/05/15 11:38 p.m.16 views

Malicious Package

Overview Version 2.0.10 of json-serializer contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.10 of this module is found...

6.9AI score
Exploits0Affected Software1
RubySec
RubySec
added 2017/11/16 12:0 a.m.21 views

Unsafe objects can be loaded from Redis

Redis-store =v1.3.0 allows unsafe objects to be loaded from Redis via the use of the Marshal serializer...

9.8CVSS4.2AI score0.01983EPSS
Exploits0References1Affected Software1
Fedora
Fedora
added 2017/11/15 8:23 p.m.23 views

[SECURITY] Fedora 26 Update: rubygem-ox-2.4.13-2.fc26

A fast XML parser and object serializer that uses only standard C lib. Optimized XML Ox, as the name implies was written to provide speed optimi zed XML handling. It was designed to be an alternative to Nokogiri and other Ru by XML parsers for generic XML parsing and as an alternative to Marshal...

7.5CVSS2.2AI score0.01713EPSS
Exploits1
myhack58
myhack58
added 2017/04/07 12:0 a.m.173 views

Java AMF3 deserialization vulnerability analysis-vulnerability warning-the black bar safety net

AMF Action Message Format is a binary serialization format, before the main Flash application in using this format. Recently, the Code White found to have multiple Java AMF library in the presence of vulnerabilities, and these vulnerabilities will lead to unauthenticated remote code execution...

5CVSS7.4AI score0.0954EPSS
Exploits2
Veracode
Veracode
added 2017/04/06 7:36 a.m.24 views

XML External Entity (XXE)

amf-serializer is vulnerable to to XML External Entity XXE. The library's AMF3 deserializers allow for external entity references from XML documents embedded in AMF3 messages...

9.8CVSS9.2AI score0.0368EPSS
Exploits2References6Affected Software1
Veracode
Veracode
added 2017/04/06 2:55 a.m.33 views

Remote Code Execution (RCE) Via Deserialization Of Untrusted Data

amf-serializer is vulnerable to remote code execution RCE via deserialization of untrusted data. The vulnerability is possible because it has a flaw in AMF3 deserialization using AMF3Deserializer.readAMF3Object. This allows attackers to request a Remote Method Invocation RMI remote object from th...

8.1CVSS8.9AI score0.05385EPSS
Exploits2References6Affected Software1
seebug.org
seebug.org
added 2017/04/06 12:0 a.m.81 views

AMF3 Java implementations deserialization Vulnerability

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers derive class instances from java. io. Externalizable rather than the AMF3 specification's recommendation of a flash. utils. IExternalizable. A remote attacker with the ability to...

7.5CVSS9.6AI score0.16239EPSS
Exploits5
seebug.org
seebug.org
added 2017/04/06 12:0 a.m.63 views

AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...

9.5AI score0.21274EPSS
Exploits6
CERT
CERT
added 2017/04/04 12:0 a.m.518 views

Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Overview Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. Description Several Java implementations of Action Message Format AMF3 are vulnerable to one or more of the following implementation errors:CWE-502: Deserialization of...

9.8CVSS9AI score0.21274EPSS
Exploits12References7
PyPA
PyPA
added 2017/02/22 4:59 p.m.11 views

PYSEC-2017-15

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

6.1CVSS6.2AI score0.02141EPSS
Exploits0References8Affected Software1
UbuntuCve
UbuntuCve
added 2017/02/22 4:59 p.m.22 views

CVE-2016-9910

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

6.1CVSS6.3AI score0.02141EPSS
Exploits0References3
Prion
Prion
added 2017/02/22 4:59 p.m.15 views

Cross site scripting

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

4.3CVSS5.9AI score0.02141EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2017/02/22 4:59 p.m.18 views

CVE-2016-9910

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

6.1CVSS5.9AI score0.02141EPSS
Exploits0References7
Prion
Prion
added 2017/02/22 4:59 p.m.12 views

Cross site scripting

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...

4.3CVSS5.8AI score0.02141EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2017/02/22 4:59 p.m.9 views

PYSEC-2017-14

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...

6.1CVSS6.1AI score0.02141EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2017/02/22 4:59 p.m.17 views

PYSEC-2017-14

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...

6.1CVSS5.1AI score0.02141EPSS
Exploits0References8
OSV
OSV
added 2017/02/22 4:59 p.m.18 views

PYSEC-2017-15

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

6.1CVSS4.4AI score0.02141EPSS
Exploits0References8
Rows per page
Query Builder