Lucene search
+L
OracleBanking Digital Experience

31 matches found

CVE
CVE
added 2020/04/29 12:0 a.m.7695 views

CVE-2020-11022

CVE-2020-11022 affects jQuery versions >=1.2 and =3.5.0 or apply vendor guidance where applicable.

6.9CVSS6.7AI score0.99019EPSS
In wild
CVE
CVE
added 2019/04/19 12:0 a.m.3113 views

CVE-2019-11358

CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...

6.1CVSS6.4AI score0.87218EPSS
In wild
CVE
CVE
added 2021/04/13 6:50 a.m.636 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2020/03/02 3:59 a.m.562 views

CVE-2020-9546

CVE-2020-9546 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interactions involving org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig can lead to deserialization issues. The IBM/Cloudera bulletin references the same CVE and lists a high impact...

9.8CVSS9.2AI score0.04613EPSS
CVE
CVE
added 2020/03/02 3:58 a.m.527 views

CVE-2020-9548

CVE-2020-9548 affects Cloudera Data Platform Private Cloud Base (IBM) 7.1.9. It is a deserialization vulnerability in FasterXML jackson-databind 2.x up to 2.9.10.3/4 where interaction between serialization gadgets and typing (relating to br.com.anteros.dbcp.AnterosDBCPConfig) can lead to remote c...

9.8CVSS9.1AI score0.18345EPSS
In wild
CVE
CVE
added 2021/04/01 2:20 p.m.520 views

CVE-2021-28164

CVE-2021-28164 (Jetty): Affects Jetty 9.4.37.v20210219–9.4.38.v20210224. The default compliance mode allowed URIs containing encoded dot segments (%2e, %2e%2e) to access protected WEB-INF resources (e.g., /context/%2e/WEB-INF/web.xml), exposing sensitive implementation details. Public references ...

5.3CVSS5.2AI score0.82371EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.504 views

CVE-2020-11113

CVE-2020-11113 is a deserialization vulnerability in FasterXML jackson-databind (2.x before 2.9.10.4) tied to typing gadget interactions (notably related to org.apache.openjpa.ee.WASRegistryManagedRuntime). The connected documents corroborate an exploit path via unsafe deserialization leading to ...

8.8CVSS8.3AI score0.06278EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.484 views

CVE-2021-37136

CVE-2021-37136 : The Bzip2 decompression decoder can set no limit on the decompressed output size, affecting all Bzip2Decoder users. This under- or over-allocates memory during decompression and can trigger an OutOfMemoryError, enabling DoS. Connected IBM/ASTRA entries reiterate the same descript...

7.5CVSS7.4AI score0.05651EPSS
CVE
CVE
added 2021/11/17 12:0 a.m.484 views

CVE-2021-41164

CKEditor4 contains an Advanced Content Filter (ACF) vulnerability (CVE-2021-41164) that allows injection of malformed HTML bypassing sanitization, enabling JavaScript execution. Affected: CKEditor4

8.2CVSS6.2AI score0.01257EPSS
CVE
CVE
added 2020/03/18 9:17 p.m.469 views

CVE-2020-10672

CVE-2020-10672 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The issue arises from deserialization gadget/typing interaction (related to org.apache. Aries transaction JMS XaPooledConnectionFactory), enabling high-severity impact on data confidentiality/integrity/availability. Connecte...

8.8CVSS8.3AI score0.02984EPSS
CVE
CVE
added 2020/06/14 7:42 p.m.465 views

CVE-2020-14061

CVE-2020-14061 concerns Jackson Databind 2.x before 2.9.10.5, where deserialization gadgets typing interaction (including oracle.jms.AQjms* components) can be exploited. IBM and NVD references show a high-severity exposure (base scores up to 8.1–9.8) with network attack vector and partial to high...

8.1CVSS8.5AI score0.04458EPSS
CVE
CVE
added 2020/03/26 12:43 p.m.454 views

CVE-2020-10968

CVE-2020-10968 affects FasterXML jackson-databind 2.x before 2.9.10.4. The issue arises from how serialization gadgets interact with typing, specifically related to org.aoju.bus.proxy.provider.remoting.RmiProvider (bus-proxy). The result is a deserialization vulnerability with high impact to conf...

8.8CVSS8.3AI score0.03538EPSS
CVE
CVE
added 2021/04/01 2:20 p.m.452 views

CVE-2021-28163

CVE-2021-28163 (Jetty symlink handling) is reported across multiple IBM advisories as a vulnerability in Eclipse Jetty where if the ${jetty.base} or ${jetty.base}/webapps directory is a symlink, an attacker could obtain the contents of the webapps directory. IBM documents list affected products s...

4CVSS5.1AI score0.0418EPSS
In wild
CVE
CVE
added 2020/06/14 7:42 p.m.450 views

CVE-2020-14062

CVE-2020-14062 affects jackson-databind 2.x prior to 2.9.10.5, where interaction between serialization gadgets and typing (related to JNDIConnectionPool) can lead to deserialization abuse with high impact. IBM/X-Force entries consolidate this as a 9.8/3.0 vulnerability. In the connected IBM bulle...

8.1CVSS8.6AI score0.08072EPSS
CVE
CVE
added 2020/06/16 3:7 p.m.450 views

CVE-2020-14195

CVE-2020-14195 affects FasterXML jackson-databind 2.x before 2.9.10.5, where deserialization gadgets/typing interaction can be exploited (related to org.jsecurity JndiRealmFactory) to potentially execute code. IBM X-Force lists a base score of 9.8 with HIGH impact on confidentiality, integrity an...

8.1CVSS8.5AI score0.04549EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.449 views

CVE-2020-11111

CVE-2020-11111 involves FasterXML Jackson Databind 2.x before 2.9.10.4, where deserialization gadgets and typing interaction (related to org.apache.activemq.*) are mishandled. This can impact confidentiality, integrity and availability. Affected product is Jackson Databind 2.x prior to 2.9.10.4; ...

8.8CVSS8.3AI score0.03489EPSS
CVE
CVE
added 2020/03/26 12:43 p.m.443 views

CVE-2020-10969

CVE-2020-10969 : Jackson Databind 2.x prior to 2.9.10.4 has a deserialization flaw caused by how serialization gadgets interact with typing (related to javax.swing.JEditorPane). This can enable deserialization of untrusted data with potential remote code execution. The issue is publicly documente...

8.8CVSS8.3AI score0.03473EPSS
CVE
CVE
added 2020/03/18 9:17 p.m.441 views

CVE-2020-10673

CVE-2020-10673 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The IBM bulletin and the consolidated Jira/Advisory in connected docs describe a deserialization issue where interaction between serialization gadgets and typing (related to com.caucho.config.types.ResourceRef, aka caucho-qu...

8.8CVSS8.3AI score0.08028EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.438 views

CVE-2021-37137

CVE-2021-37137 involves Netty’s Snappy frame decoding where the SnappyFrameDecoder does not restrict the chunk length, enabling potential excessive memory usage. The issue can be triggered by crafted input that decompresses to a very large size (via network streams or files) or by sending a very ...

7.5CVSS7.4AI score0.0628EPSS
CVE
CVE
added 2020/06/14 8:46 p.m.436 views

CVE-2020-14060

CVE-2020-14060 affects FasterXML jackson-databind 2.x before 2.9.10.5. The root cause is mishandling of the interaction between serialization gadgets and typing (related to JNDIConnectionPool), enabling deserialization-enabled impact on confidentiality, integrity, and availability. The IBM X-Forc...

8.1CVSS8.6AI score0.08607EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.427 views

CVE-2020-11112

CVE-2020-11112 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interaction is mishandled (related to org.apache.commons.proxy.provider.remoting.RmiProvider). This is a deserialization issue that could enable malicious payload execution; affected prod...

8.8CVSS8.3AI score0.03583EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.402 views

CVE-2021-36090

CVE-2021-36090 affects Apache Commons Compress zip handling: reading a specially crafted ZIP can allocate excessive memory, causing an out-of-memory DoS. Supported details from IBM/AWS advisories point to a fix in Commons Compress (upgrade to 1.21+; e.g., Amazon Linux advisories list apache-commo...

7.5CVSS7.5AI score0.12945EPSS
CVE
CVE
added 2019/10/10 9:4 p.m.338 views

CVE-2019-17495

CVE-2019-17495 is a CSS injection flaw in Swagger UI prior to 3.23.11 using the Relative Path Overwrite (RPO) technique that can lead to exfiltration of sensitive data (e.g., CSRF tokens) via CSS-based input field values. Concrete details across connected docs show multiple IBM advisories referen...

9.8CVSS9.3AI score0.0558EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.326 views

CVE-2021-35515

CVE-2021-35515 is an infinite-loop denial-of-service in Apache Commons Compress when reading a crafted 7Z archive. The issue arises during the construction of the codecs list used to decompress an entry, potentially consuming unbounded CPU and impacting services that rely on the sevenz package. C...

7.5CVSS7.2AI score0.11567EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.318 views

CVE-2021-35517

CVE-2021-35517 affects Apache Commons Compress tar handling. The vulnerability, triggered by reading a specially crafted TAR archive, can cause Compress to allocate excessive memory, potentially leading to an out-of-memory condition and a denial-of-service against services using Compress’ tar pac...

7.5CVSS7.5AI score0.10614EPSS
CVE
CVE
added 2019/11/08 2:46 p.m.299 views

CVE-2019-10219

The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...

6.5CVSS6AI score0.02167EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.299 views

CVE-2021-35516

CVE-2021-35516 affects Apache Commons Compress (the sevenz package). A specially crafted 7Z archive can cause the library to allocate excessive memory, ultimately causing an out-of-memory condition and a denial-of-service on services that use Compress’ sevenz component. The initial description do...

7.5CVSS7.3AI score0.12365EPSS
CVE
CVE
added 2021/02/24 12:0 a.m.297 views

CVE-2020-11987

CVE-2020-11987 – SSRF in Apache Batik 1.13 . The initial description confirms a server-side request forgery via improper input validation in NodePickerPanel, enabling an attacker to make arbitrary GET requests from the server. Connected documents corroborate concrete remediation actions across ve...

8.2CVSS7.8AI score0.13635EPSS
CVE
CVE
added 2021/07/20 10:43 p.m.242 views

CVE-2021-2351

CVE-2021-2351 affects Oracle Database Server’s Advanced Networking Option, with affected versions 12.1.0.2, 12.2.0.1, and 19c. The vulnerability allows unauthenticated network access via Oracle Net to compromise the Advanced Networking Option, with access requiring user interaction (UI_R) and ris...

8.3CVSS8.5AI score0.025EPSS
CVE
CVE
added 2021/11/17 7:15 p.m.227 views

CVE-2021-41165

CKEditor4 core HTML processing vulnerability (CVE-2021-41165) allows injection of malformed HTML comments bypassing content sanitization, potentially enabling JavaScript execution. Affected: CKEditor 4.x versions before 4.17.0 (affects all plugins). Impact: execution of arbitrary script in affect...

8.2CVSS6.2AI score0.0147EPSS
CVE
CVE
added 2019/10/16 5:40 p.m.65 views

CVE-2019-3019

CVE-2019-3019 affects Oracle Banking Digital Experience (Loan Calculator) in Oracle Financial Services Applications. Vulnerable versions: 18.1, 18.2, 18.3, 19.1. An attacker with network access via HTTP, low privileges, and requiring user interaction can potentially modify or read Oracle Banking ...

5.4CVSS5AI score0.00726EPSS