39 matches found
OESA-2024-2004 python-django security update
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with ...
BIT-SILVERSTRIPE-2021-28661
Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...
CVE-2024-26624
CVE-2024-26624 is rejected by its CNA and does not represent an active vulnerability.
CVE-2024-23683 Artemis Java Test Sandbox InvocationTargetException Subclass Escape
Artemis Java Test Sandbox versions less than 1.7.6 are vulnerable to a sandbox escape when an attacker crafts a special subclass of InvocationTargetException. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code...
SUSE CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization...
ASB-A-244154558
In run of ChooseTypeAndAccountActivity.java, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2021-28661
Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...
CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass
More info at https://www.silverstripe.org/download/security-releases/CVE-2021-28661...
iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References
When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation. PFArray is such a subclass of NSArray. When a PFArray is deserialized, it is deserialize...
iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References
iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation...
iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References Exploit
When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation. PFArray is such a subclass of NSArray. When a PFArray is deserialized, it is deserialize...
OPENSUSE-SU-2019:0244-1 Security update for python-Jinja2
This update for python-Jinja2 fixes the following issues: - Update to 2.8 - Added target parameter to urlize function. - Added support for followsymlinks to the file system loader. - The truncate filter now counts the length. - Added equalto filter that helps with select filters. - Changed cache...
CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization...
Information Disclosure
Apache batik-dom is vulnerable to information disclosure. The vulnerability exists because the user provided string is used as a class name without checking if it was a valid class type. This string is then passed to a no-arg constructor during deserialization of the AbstractDocument subclass...
CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization...
UBUNTU-CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization...
ZDI-10-055: Sun Java Runtime Environment Mutable InetAddress Socket Policy Violation Vulnerability
ZDI-10-055: Sun Java Runtime Environment Mutable InetAddress Socket Policy Violation Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-055 April 5, 2010 -- CVE ID: CVE-2010-0095 -- Affected Vendors: Sun Microsystems -- Affected Products: Sun Microsystems Java Runtime -- Vulnerabili...
OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.225 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0093...
Design/Logic Flaw
Java Embedding Plugin 0.9.6.1 allows remote attackers to cause a denial of service browser crash via a Thread subclass that calls super.run from its run method...