42 matches found
CVE-2020-11022
CVE-2020-11022 affects jQuery versions >=1.2 and =3.5.0 or apply vendor guidance where applicable.
CVE-2020-11023
The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...
CVE-2016-8735
CVE-2016-8735 is a remote code execution vulnerability in Apache Tomcat via JmxRemoteLifecycleListener. Affected are Tomcat releases before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12, when JMX ports are reachable. Root cause: JmxRemoteLifecycleListe...
CVE-2020-7656
CVE-2020-7656 affects jQuery versions prior to 1.9.0. The vulnerability arises from the load method failing to strip certain ), enabling cross‑site scripting. Public materials describe PoC/exploitation and public advisories/patch guidance (e.g., upgrade to 1.9.0+). The CVE is documented with an o...
CVE-2020-36518
CVE-2020-36518 affects jackson-databind prior to 2.13.0, enabling a Java StackOverflow and DoS via excessive nesting depth. In affected advisories, remediation is to upgrade jackson-databind to 2.13.0+ (examples show 2.13.x or newer such as 2.13.4.2 in Crowd/CWD references). Practical impact is d...
CVE-2018-11784
CVE-2018-11784 affects Apache Tomcat: the default servlet could be tricked into generating redirects to arbitrary URIs when handling requests like /foo, enabling open redirect. Affected branches include 9.0.x (9.0.0.M1–9.0.11), 8.5.x (8.5.0–8.5.33), and 7.0.x (7.0.23–7.0.90). Root cause is how th...
CVE-2018-18311
CVE-2018-18311 is a Perl vulnerability describing a buffer overflow caused by crafted regular expressions and an integer/offset issue in Perl’s environment setup (Perl before 5.26.3 and 5.28.x before 5.28.1). Connected advisories show multiple distributions releasing patches and updates to Perl p...
CVE-2021-28169
CVE-2021-28169 affects Eclipse Jetty shipped with multiple versions (<= 9.4.40, <= 10.0.2,
CVE-2020-27218
CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...
CVE-2020-10683
CVE-2020-10683 is described in IBM Bulletin sources as an XXE vulnerability in the dom4j library, allowing a remote authenticated attacker to obtain sensitive information through XML processing. The issue stems from dom4j handling External DTDs/Entities by default, and multiple IBM entries map th...
CVE-2018-1000632
CVE-2018-1000632 affects dom4j prior to 2.1.1 with an XML Injection (CWE-91) in Element methods addElement/addAttribute. An attacker could tamper XML content via crafted attributes/elements. The issue is fixed in 2.1.1+, and IBM/IOC advisories indicate upgrading dom4j (e.g., to 2.1.4 in IOC) to a...
CVE-2020-12723
CVE-2020-12723 : In Perl, regcomp.c allows a buffer overflow in the regex compiler due to crafted regular expressions, caused by recursive S_study_chunk calls. The issue affects Perl before 5.30.3, notably on 32‑bit platforms. Reports in Connected documents indicate fixes have been released (e.g....
CVE-2020-27223
CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...
CVE-2021-34429
CVE-2021-34429 affects Eclipse Jetty: 9.4.37–9.4.42, 10.0.1–10.0.5, and 11.0.1–11.0.5. A vulnerability allows crafting certain encoded URIs to access WEB-INF content and bypass some security constraints, constituting a variation of CVE-2021-28164. Public references in connected docs describe this...
CVE-2021-34428
CVE-2021-34428 affects Eclipse Jetty up to 9.4.40, 10.0.2, and 11.0.2. The root cause is an exception in SessionListener#sessionDestroyed() that prevents the session ID from being invalidated in the session ID manager, which in clustered deployments can leave a user session active on a shared mac...
CVE-2020-10878
Perl before 5.30.3 contains an integer overflow in the regular expression compiler (related to PL_regkind[OP(n)] == NOTHING). A crafted regex can produce malformed bytecode with a possibility of instruction injection, as documented by multiple advisories and CVEs (e.g., CVE-2020-10878). Public re...
CVE-2021-22096
CVE-2021-22096 affects Spring Framework versions 5.3.0–5.3.10, 5.2.0–5.2.17 and older unsupported versions. The issue allows a user to provide malicious input to cause the insertion of additional log entries. Connected Nessus/IBM entries describe a follow-up (CVE-2021-22060) that broadens input c...
CVE-2021-23926
CVE-2021-23926 involves Apache XMLBeans up to 2.6.0, where XML parsers did not set necessary protections against malicious XML input, enabling an XML External Entity (XXE) attack and related.entity expansion concerns. The main impact cited is a potential denial of service or information disclosur...
CVE-2019-10247
CVE-2019-10247 affects Eclipse Jetty when configured to list contexts in 404 responses. Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older disclose the fully qualified directory base resource location in the HTML output of a not-found Context, via the DefaultHandler...
CVE-2021-42550
This CVE affects Logback 1.2.7 and earlier, where an attacker with write access to configuration files can craft a malicious configuration that loads and executes arbitrary code from LDAP servers. The impact is remote code execution with the attacker’s privileges on systems using vulnerable Logba...
CVE-2017-7657
CVE-2017-7657 affects Eclipse Jetty: transfer-encoding chunk size parsing could overflow an integer, causing large chunks to be treated as smaller ones and enabling a fake pipelined request that bypasses intermediary authorization. Affected versions include Jetty 9.2.x and older, 9.3.x (all confi...
CVE-2018-12015
CVE-2018-12015 affects the Archive::Tar module in Perl (up to 5.26.2). The vulnerability lets a crafted tar archive bypass directory-traversal protection and overwrite arbitrary files when a tar contains a symlink and a regular file with the same name. Affected advisories/archives confirm the iss...
CVE-2020-27216
CVE-2020-27216 affects Eclipse Jetty in Unix-like environments across versions 1.0–9.4.32.v20200930, 10.0.0.alpha1–10.0.0.beta2, and 11.0.0.alpha1–11.0.0.beta2O. It describes a race condition where the system temporary directory is shared among users, allowing a collocated user to observe the cre...
CVE-2022-22968
CVE-2022-22968 affects Spring Framework where DataBinder’s disallowedFields patterns are case sensitive in versions 5.3.0–5.3.18, 5.2.0–5.2.20, and older unsupported releases. The issue means a field is not fully protected unless every first character (and nested path) is listed in both uppercase...
CVE-2020-5421
CVE-2020-5421 affects Spring Framework releases across multiple lines (5.2.x to 5.0.x, 4.3.x and older). The issue arises from improper input handling of the jsessionid path parameter, which may bypass RFD Protection and weaken security controls. Affected products reference VMware Tanzu Spring Fr...
CVE-2016-5018
CVE-2016-5018 affects multiple Tomcat branches (9.0.0.M1–M9, 8.5.0–8.5.4, 8.0.0.RC1–8.0.36, 7.0.0–7.0.70, 6.0.0–6.0.45). The vulnerability allows a malicious web application to bypass a configured SecurityManager via a Tomcat utility method that is accessible to web applications, enabling bypass ...
CVE-2018-18313
Perl before 5.26.3 is affected by a buffer over-read triggered by crafted regular expressions, which can disclose sensitive data from process memory. Public sources (e.g., USN-3834-1, Debian/CVE trackers) confirm CVE-2018-18313 and list affected platforms, noting that upgrading to Perl 5.26.3 or ...
CVE-2018-18312
Perl 5.26.3 and 5.28.0 before 5.28.1 are affected by CVE-2018-18312 due to a buffer overflow in handling crafted regular expressions (regcomp.c). The issue enables invalid writes when parsing certain regex patterns. Affected versions: Perl before 5.26.3 and 5.28.0 before 5.28.1. Fixes are availab...
CVE-2017-7658
In CVE-2017-7658, Eclipse Jetty had a flaw in how it handles HTTP requests when multiple Content-Length headers are present or when a Content-Length header accompanies a chunked encoding header. This could allow a forged or pipelined request to bypass intermediary authorization if the shorter len...
CVE-2018-18314
CVE-2018-18314 affects Perl before 5.26.3, with a buffer overflow triggered by a crafted regular expression that leads to invalid write operations during compilation. Connected sources corroborate the issue and mention related details, including a root cause in regcomp.c (S_regatom) and potential...
CVE-2016-6797
CVE-2016-6797 stems from Apache Tomcat’s ResourceLinkFactory not restricting web app access to global JNDI resources, allowing a web application to access any global JNDI resource regardless of explicit ResourceLink. Affects Tomcat 6.x/7.x/8.x/9.x releases listed in the entry (various 6.0–9.0 lin...
CVE-2016-0762
CVE-2016-0762 affects Apache Tomcat realms across multiple branches (Tomcat 9.0.x, 8.5.x, 8.0.x, 7.0.x, 6.0.x). The root cause: Realm implementations did not process the supplied password when the username did not exist, enabling a timing attack to determine valid usernames. The default LockOutRe...
CVE-2016-6794
CVE-2016-6794 affects Apache Tomcat across multiple branches (7.x, 8.x, 9.x) and versions, where the system property replacement feature for configuration files can bypass a configured SecurityManager to read restricted system properties. Connected advisories show concrete impact and suggested fi...
CVE-2016-6796
CVE-2016-6796 affects Apache Tomcat across multiple lines: a malicious web application could bypass the SecurityManager by manipulating the configuration parameters for the JSP Servlet. Affected versions include Tomcat 9.0.0.M1–9.0.0.M9, 8.5.0–8.5.4, 8.0.0.RC1–8.0.36, 7.0.0–7.0.70, and 6.0.0–6.0....
CVE-2020-13954
CVE-2020-13954 is an Apache CXF cross-site scripting (XSS) vulnerability exposed via the /services listing page. The issue arises from improper validation of user-supplied input through styleSheetPath, enabling an attacker to inject script when the URL is visited. Public documentation in the init...
CVE-2018-12538
CVE-2018-12538 affects Eclipse Jetty 9.4.0–9.4.8 when using the FileSessionDataStore for HttpSession persistence. A malicious user could hijack or delete other users’ sessions via the FileSystem storage, due to a flaw in the FileSessionDataStore. Remediation noted in public advisories: upgrade Je...
CVE-2019-10246
CVE-2019-10246 is described in connected IBM security bulletins as an Eclipse Jetty vulnerability where a server configured to Listing directory contents could expose the fully-qualified Base Resource directory name to remote clients, potentially revealing sensitive information. IBM Cognos Analyt...
CVE-2015-8960
The CVE-2015-8960 entry concerns TLS protocol versions 1.2 and earlier. The root cause is that certain ClientCertificateType values (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh) are supported but the protocol does not document the ability to compute the master secret in scenarios...
CVE-2021-23901
The CVE-2021-23901 issue affects Apache Nutch DmozParser prior to 1.18, where an XML External Entity (XXE) injection was exploitable due to improper XML processing. Affected component: DmozParser in Nutch versions
CVE-2016-5372
NetApp Snap Creator Framework CVE-2016-5372 is a CSRF vulnerability affecting versions prior to 4.3.0P1. A remote attacker could hijack user authentication and, per CNVD details, perform unauthorized operations and gain privileges for affected applications via unknown vectors. Mitigation: upgrade...
CVE-2016-5710
The CVE-2016-5710 entry affects NetApp Snap Creator Framework prior to 4.3P1. It describes a clickjacking vulnerability that can be triggered by remote authenticated users via unspecified vectors. Exploitation details are not provided in the supplied documents. The issue appears resolved by upgra...
CVE-2016-7172
CVE-2016-7172 affects NetApp Snap Creator Framework prior to version 4.3.1, where an information disclosure vulnerability allows unauthorized viewing of sensitive data. The issue is tied to NetApp Snap Creator Framework and is documented across multiple sources (NVD/CNVD/etc.) with consistent pro...