CVE-2018-11765

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. Mitigation Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If it...

CVE-2020-11626

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting XSS vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets...

Cross site scripting

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting XSS vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets...

CVE-2020-11626

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting XSS vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets...

EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2019-2675)

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to...

Cross site scripting

SAP NetWeaver Process Integration, versions: SAPXIESR: 7.20, SAPXITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scrip...

Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net

Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638（Equifax information disclosure and CVE-2018-11776。 Apache Struts is a free open source framework for creating modern...

The vulnerability of the Foundation UI & Servlets component of the Hyperion BI+ event service allows a perpetrator to gain read access to data, modify data, or cause a partial service failure.

The vulnerability of the Foundation UI & Servlets component of the Hyperion BI+ service is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to gain read, modify, add, or delete access to data, or cause a partial service outage through HTTP...

CVE-2019-2415

Vulnerability in the Hyperion BI+ component of Oracle Hyperion subcomponent: Foundation UI & Servlets. The supported version that is affected is 11.1.2.4. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion BI+. Successful attacks...

Directory Traversal

servlets-default is vulnerable to directory traversal attacks. The vulnerability exists due to default configuration of enabling directory traversal, allowing directories to be listed with a ; after a filename with a mapped extension...

Path Traversal

Apache Tomcat servlets-webdav is vulnerable to path traversal. A remote authenticated user is able to submit absolute file paths to read arbitrary files via a WebDAV write request which specifies an entry with a SYSTEM tag...

Debian DLA-1450-1 : tomcat8 security update

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1304 The URL pattern of '' the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat when used as part of a security constraint definition. This caused the...

Oracle Secure Global Desktop Multiple Vulnerabilities (July 2018 CPU)

The version of Oracle Secure Global Desktop installed on the remote host is 5.3 / 5.4 and is missing a security patch from the July 2018 Critical Patch Update CPU. It is, therefore, affected by multiple vulnerabilities: - curl version curl 7.54.1 to and including curl 7.59.0 contains a Heap-based...

Soleo: Directory Traversal + HTTP Paramater Pollution leaking SQL/LDAP credentials

Upon visiting the login page of a provider’s IP Relay client, we noticed that if someone were to click the “forgot password” link, it would bring them to a URL which appeared as the following: https://./IPRelayApp/servlet/IPRelay?page=forgotPassword When attempting to modify the "page" GET...

KYOCERA Net Admin 3.4 Multiple XSS Vulnerabilities

Summary KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be...

Security Bulletin: IBM Cúram Social Program Management is vulnerable to cross-site request forgery attacks (CVE-2014-6090).

Summary IBM Cúram Social Program management contains a number of servlets which do not adequately protect against CSRF. This could potentially allow an attacker to affect the integrity of data managed by these servlets. Vulnerability Details CVEID: CVE-2014-6090 DESCRIPTION: IBM Curam Social...

KYOCERA Net Admin 3.4 Multiple XSS Vulnerabilities

Summary KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be...

Hardcoded credentials

A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management eManagement: Dell EMC Unisphere for VMAX Virtual Appliance versions prior to...

CVE-2018-1216

A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management eManagement: Dell EMC Unisphere for VMAX Virtual Appliance versions prior to...

[SECURITY] [DLA 1301-1] tomcat7 security update

Package : tomcat7 Version : 7.0.28-4+deb7u18 CVE ID : CVE-2018-1304 CVE-2018-1305 Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1304 The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache...