499 matches found
CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
Apache Santuario Log Information Disclosure Vulnerability
Apache Santuario is a set of major security standards for implementing XML from the Apache Foundation in the U.S. It contains two libraries: Apache XML Security for Java and Apache XML Security for C++. Apache Santuario suffers from a log message disclosure vulnerability that stems from the...
CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
GHSA-WC9J-GC65-3CM7 DDFFileParser is vulnerable to XXE Attacks
Impact DDFFileParser and DefaultDDFFileValidator and so ObjectLoader are vulnerable to XXE AttacksProcessing. DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files e.g. if they let external users provide their own model...
Arbitrary Code Execution
ruby-saml is vulnerable to Arbitrary Code Execution. The vulnerability exists due to a lack of using prepared statements in xmlsecurity.rb which allow an attacker to execute arbitrary codes into the system...
GHSA-R364-2PJ4-PF7F ruby-saml vulnerable to XPath injection
xmlsecurity.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used...
OneLogin ruby-saml 命令注入漏洞
Onelogin OneLogin ruby-saml is a Ruby-based SAML Security Assertion Markup Language library for Single Sign-On SSO services from Onelogin, USA. A security vulnerability exists in OneLogin ruby-saml prior to version 1.0.0, which stems from not using pre-defined statements, causing xmlsecurity.rb i...
PT-2023-10309 · Ruby · Ruby-Saml
Name of the Vulnerable Software and Affected Versions: ruby-saml gem versions prior to 1.0.0 Description: The issue allows XPath injection and code execution in the ruby-saml gem because prepared statements are not used. This is related to the xml security.rb file. Recommendations: For versions...
CVE-2015-20108
The CVE-2015-20108 issue affects the ruby-saml gem prior to 1.0.0, where xml_security.rb enables XPath injection and code execution because prepared statements are not used. Affected component: ruby-saml XML security handling. Root cause: lack of prepared statements in XPath processing leads to i...
Oracle Application Testing Suite (Apr 2023 CPU)
The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory: - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager component: Load Testing for Web Apps Apac...
Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152)
Summary BM Sterling B2B Integrator has addressed the secuirty vulnerabilities in Apache Santurio XML Security. Vulnerability Details CVEID:CVE-2021-40690 DESCRIPTION: Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the improper passi...
Debian: Security Advisory (DLA-85-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
K58530825: Apache CXF vulnerability CVE-2017-5653
Security Advisory Description JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. CVE-2017-5653 Impact There is no impact; F5 products are not affected by th...
SUSE CVE-2011-1425
xslt.c in XML Security Library aka xmlsec before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification...
SUSE CVE-2015-5161
The ZendXmlSecurity::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity XXE and XML entity expansion XEE...
SUSE CVE-2019-12400
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this...
The vulnerability of the XML security component of the Oracle Web Services Manager application on the Oracle Fusion Middleware software platform allows a perpetrator to gain unauthorized access to protected data or to modify, add, or delete protected data.
The vulnerability of the XML Security component of the Oracle Web Services Manager application in the Oracle Fusion Middleware software platform is related to insufficient validation of input data. Exploiting this vulnerability may allow an attacker to gain unauthorized access to protected data o...
Remote code execution
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec aka XML Security for Java 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain...
CVE-2023-21862
Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware component: XML Security component. The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web...
Design/Logic Flaw
Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware component: XML Security component. The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web...