140 matches found
Potential for Information Disclosure in Application Skeleton
Potential for Information Disclosure in Application Skeleton The default application skeleton contained a beforeRender method on the AppController that could potentially lead to unwanted information disclosure in your application. The unsafe default code was present between 3.1.0 and 3.5.0 of the...
[SECURITY] [DLA 930-1] libxstream-java security update
Package : libxstream-java Version : 1.4.2-1+deb7u2 CVE ID : CVE-2017-7957 Debian Bug : 861521 It was discovered that there was a remote application crash vulnerability in libxstream-java, a Java library to serialize objects to XML and back again. This was due to mishandled attempts to create an...
[SECURITY] Fedora 25 Update: jenkins-xstream-1.4.7-11.jenkins1.fc25
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 24 Update: jenkins-xstream-1.4.7-11.jenkins1.fc24
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 24 Update: xstream-1.4.9-5.fc24
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 26 Update: jenkins-xstream-1.4.7-11.jenkins1.fc26
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 26 Update: xstream-1.4.9-5.fc26
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
DEBIAN-CVE-2016-4483
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service out-of-bounds read and application crash via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627...
UBUNTU-CVE-2016-4483
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service out-of-bounds read and application crash via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627...
[SECURITY] Fedora 22 Update: xstream-1.4.9-1.fc22
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 23 Update: xstream-1.4.9-1.fc23
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 24 Update: xstream-1.4.9-1.fc24
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
XStream 反序列化漏洞
Xstream 的反序列化漏洞的根源就是 Groovy 组件的问题参考 Apache Groovy MethodClosure 远程代码执行漏洞(CVE-2015-3253),只不过在 Xstream 中进行反序列化时恰好有触发存在缺陷函数的点,也就是 Xstream 在反序列化时调用了 Mapput 函数将构造好的 Expando 实例作为 key 添加到集合中时触发了代码执行,如下图: 这里的 key 就是我们构造的 Expando 的实例对象。 在构造 EXP 时,首先我们要构造一个 Expando 的一个对象实例,同时设置 hashCode 的实现为 MethodClosure...
[SECURITY] Fedora 19 Update: xstream-1.3.1-5.1.fc19
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
[SECURITY] Fedora 20 Update: xstream-1.3.1-9.fc20
XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...
CVE-2013-7249
Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224...
CVE-2013-7249
CVE-2013-7249 affects Fat Free CRM prior to 0.12.1. The issue is an XML serialization restriction flaw that allows remote attackers to obtain sensitive information via a direct request (e.g., /users/1.xml). This is explicitly described as a separate vulnerability from CVE-2013-7224. The available...
openSUSE 10 Security Update : mono-core (mono-core-2182)
The Mono System.Xml.Serialization class contained a /tmp race which allows local attackers to potentially execute code as the user using the Serialization method. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSU...
[Full-disclosure] ASP.NET RCP/Encoded Web service DOS
ASP.NET RCP/Encoded Web service DOS http://www.spidynamics.com/spilabs/advisories/aspRCP.html Release Date: July 11, 2005 Severity: High System Affected IIS Servers exposing ASP.NET Web services that consume arrays in RCP/Encoded mode Applications using System.Xml.Serialization to consume untrust...
CVE-2022-40154
Removed by vendor...