Application Express@* Security Vulnerabilities and Issues — Application Express@* CVE List

Lucene search

OracleApplication Express*

42 matches found

CVE•added 2020/04/29 9:15 p.m.•6725 views

CVE-2020-11023

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3...

6.9CVSS7.2AI score0.21547EPSS

In wildWeb

CVE•added 2019/04/20 12:29 a.m.•2239 views

CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.05394EPSS

In wild

CVE•added 2020/03/07 1:15 a.m.•1445 views

CVE-2020-9281

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

6.1CVSS5.4AI score0.00693EPSS

CVE•added 2017/03/15 4:59 p.m.•782 views

CVE-2016-7103

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

6.1CVSS6AI score0.01397EPSS

In wild

CVE•added 2021/10/26 3:15 p.m.•759 views

CVE-2021-41184

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS ...

6.5CVSS6.5AI score0.29896EPSS

CVE•added 2021/10/26 3:15 p.m.•631 views

CVE-2021-41182

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now trea...

6.5CVSS6.4AI score0.26482EPSS

CVE•added 2021/01/26 9:15 p.m.•622 views

CVE-2021-26272

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

6.5CVSS6.6AI score0.00203EPSS

CVE•added 2022/03/16 5:15 p.m.•569 views

CVE-2022-24729

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser...

7.5CVSS6.7AI score0.0043EPSS

CVE•added 2021/10/26 3:15 p.m.•550 views

CVE-2021-41183

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now alway...

6.5CVSS6.5AI score0.02361EPSS

CVE•added 2021/01/26 9:15 p.m.•540 views

CVE-2021-26271

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

6.5CVSS6.6AI score0.00639EPSS

CVE•added 2022/03/16 4:15 p.m.•491 views

CVE-2022-24728

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitizatio...

5.4CVSS5.9AI score0.00604EPSS

CVE•added 2021/11/17 7:15 p.m.•450 views

CVE-2021-41164

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result ...

8.2CVSS6.2AI score0.00051EPSS

CVE•added 2021/08/12 5:15 p.m.•362 views

CVE-2021-32809

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Clipboard package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It af...

5.4CVSS5.8AI score0.00207EPSS

CVE•added 2021/08/13 12:15 a.m.•316 views

CVE-2021-37695

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using th...

7.3CVSS6AI score0.00401EPSS

CVE•added 2021/08/12 5:15 p.m.•238 views

CVE-2021-32808

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing J...

7.6CVSS6.1AI score0.01222EPSS

CVE•added 2021/11/17 8:15 p.m.•200 views

CVE-2021-41165

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result i...

8.2CVSS6.2AI score0.00089EPSS

CVE•added 2021/06/28 8:15 p.m.•160 views

CVE-2021-32723

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been f...

7.4CVSS6.5AI score0.00373EPSS

CVE•added 2020/10/07 4:15 p.m.•152 views

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

6.1CVSS6.1AI score0.0029EPSS

CVE•added 2020/10/30 11:15 a.m.•147 views

CVE-2020-7760

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...

7.5CVSS6.1AI score0.0034EPSS

CVE•added 2020/11/12 9:15 p.m.•138 views

CVE-2020-27193

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

6.1CVSS5.9AI score0.00908EPSS

CVE•added 2023/07/18 9:15 p.m.•81 views

CVE-2023-21983

Vulnerability in the Application Express Administration product of Oracle Application Express (component: None). Supported versions that are affected are Application Express Administration: 18.2-22.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to...

5.6CVSS5.2AI score0.00134EPSS

CVE•added 2023/07/18 9:15 p.m.•74 views

CVE-2023-21975

Vulnerability in the Application Express Customers Plugin product of Oracle Application Express (component: User Account). Supported versions that are affected are Application Express Customers Plugin: 18.2-22.2. Easily exploitable vulnerability allows low privileged attacker with network access vi...

9CVSS8.8AI score0.00519EPSS

CVE•added 2021/07/21 12:15 a.m.•71 views

CVE-2021-2460

Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 21.1.0.00.04. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to com...

5.4CVSS5AI score0.00255EPSS

CVE•added 2023/07/18 9:15 p.m.•71 views

CVE-2023-21974

Vulnerability in the Application Express Team Calendar Plugin product of Oracle Application Express (component: User Account). Supported versions that are affected are Application Express Team Calendar Plugin: 18.2-22.1. Easily exploitable vulnerability allows low privileged attacker with network a...

9CVSS8.8AI score0.00519EPSS

CVE•added 2020/04/15 2:15 p.m.•59 views

CVE-2020-2514

Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 19.2. Easily exploitable vulnerability allows low privileged attacker having End User Role privilege with network access via HTTPS to compromise Oracle Application...

4.9CVSS4AI score0.00424EPSS

CVE•added 2018/01/18 2:29 a.m.•55 views

CVE-2018-2699

Vulnerability in the Application Express component of Oracle Database Server. The supported version that is affected is Prior to 5.1.4.00.08. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Application Express. Successful attacks require h...

6.1CVSS5.3AI score0.00463EPSS

CVE•added 2016/07/21 10:12 a.m.•54 views

CVE-2016-3448

Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect confidentiality and integrity via unknown vectors.

6.1CVSS5.8AI score0.00315EPSS

CVE•added 2019/07/23 11:15 p.m.•53 views

CVE-2019-2484

Vulnerability in the Application Express component of Oracle Database Server. Supported versions that are affected are 5.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Valid Account privilege with network access via HTTP to compromise Application Express. Success...

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2020/10/21 3:15 p.m.•50 views

CVE-2020-14762

Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application E...

5.4CVSS5.4AI score0.00185EPSS

CVE•added 2020/07/15 6:15 p.m.•50 views

CVE-2020-2513

Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express...

5.4CVSS5.1AI score0.00283EPSS

CVE•added 2020/07/15 6:15 p.m.•49 views

CVE-2020-2971

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2020/07/15 6:15 p.m.•49 views

CVE-2020-2972

5.4CVSS5.1AI score0.00241EPSS

CVE•added 2020/07/15 6:15 p.m.•47 views

CVE-2020-2973

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2020/07/15 6:15 p.m.•47 views

CVE-2020-2975

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2020/10/21 3:15 p.m.•46 views

CVE-2020-14900

Vulnerability in the Oracle Application Express Group Calendar component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise...

5.4CVSS5AI score0.00185EPSS

CVE•added 2020/10/21 3:15 p.m.•41 views

CVE-2020-14763

Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Ora...

5.4CVSS5.3AI score0.00185EPSS

CVE•added 2020/07/15 6:15 p.m.•41 views

CVE-2020-2974

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2016/07/21 10:12 a.m.•40 views

CVE-2016-3467

Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect availability via unknown vectors.

5.8CVSS5.7AI score0.00961EPSS

CVE•added 2020/07/15 6:15 p.m.•39 views

CVE-2020-2977

Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application E...

4.9CVSS4.1AI score0.00185EPSS

CVE•added 2020/07/15 6:15 p.m.•38 views

CVE-2020-2976

5.4CVSS5.1AI score0.00185EPSS

CVE•added 2020/10/21 3:15 p.m.•37 views

CVE-2020-14899

Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise ...

5.4CVSS5AI score0.00185EPSS

CVE•added 2020/10/21 3:15 p.m.•35 views

CVE-2020-14898

Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise ...

5.4CVSS5AI score0.00185EPSS