Lucene search
K
OracleBanking Platform

72 matches found

CVE
CVE
added 2020/04/29 12:0 a.m.7237 views

CVE-2020-11023

The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...

6.9CVSS7.2AI score0.8383EPSS
In wild
CVE
CVE
added 2018/01/18 11:0 p.m.3288 views

CVE-2015-9251

CVE-2015-9251 affects jQuery before 3.0.0, enabling XSS when a cross-domain Ajax request omits the dataType option and text/javascript responses are executed. Connected advisories confirm the issue and indicate an upgrade resolves it; remediation is to upgrade jQuery to a fixed version as provide...

6.1CVSS6.3AI score0.29726EPSS
Web
CVE
CVE
added 2019/04/19 12:0 a.m.3079 views

CVE-2019-11358

CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...

6.1CVSS6.4AI score0.87218EPSS
In wild
CVE
CVE
added 2021/12/18 11:55 a.m.1186 views

CVE-2021-45105

Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...

5.9CVSS7.7AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2021/10/26 12:0 a.m.1088 views

CVE-2021-41182

CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...

6.5CVSS6.4AI score0.42229EPSS
CVE
CVE
added 2019/08/20 8:10 p.m.951 views

CVE-2019-10086

CVE-2019-10086 affects Apache Commons BeanUtils 1.9.2, where a BeanIntrospector addition could suppress access to the classloader via the class property on Java objects. The issue stems from not applying the suppression by default in PropertyUtilsBean, enabling potential risk across affected depl...

7.5CVSS7.3AI score0.28839EPSS
CVE
CVE
added 2021/10/26 12:0 a.m.912 views

CVE-2021-41184

CVE-2021-41184 describes an XSS in jQuery-UI before 1.13.0 where untrusted input passed to the of option of the .position() utility could lead to code execution. The connected documents confirm the issue affects jQuery-UI embedded in other software (e.g., OTRS/IU contexts) and state the fix is to...

6.5CVSS6.5AI score0.44515EPSS
Web
CVE
CVE
added 2021/04/13 6:50 a.m.634 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2020/12/03 4:16 p.m.614 views

CVE-2020-25649

The CVE-2020-25649 entry concerns a flaw in FasterXML Jackson Databind where entity expansion was not properly secured, enabling XML External Entity (XXE) attacks. This is a data-integrity risk. Connected advisories consistently associate the issue with Jackson Databind and XXE, and several sourc...

7.5CVSS7.3AI score0.17611EPSS
CVE
CVE
added 2021/10/26 12:0 a.m.609 views

CVE-2021-41183

CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...

6.5CVSS6.5AI score0.07948EPSS
CVE
CVE
added 2019/09/15 9:45 p.m.604 views

CVE-2019-14540

CVE-2019-14540 affects jackson-databind up to version 2.9.10 with serialization gadget risk involving the HikariCP classes (com.zaxxer.hikari.HikariConfig). The authoritative initial doc notes a polymorphic typing issue in jackson-databind related to HikariConfig. Connected-material references (A...

9.8CVSS9.3AI score0.10676EPSS
CVE
CVE
added 2017/04/17 9:0 p.m.603 views

CVE-2017-5645

CVE-2017-5645 affects Apache Log4j 2.x prior to 2.8.2. The vulnerability arises when using a TCP/UDP socket server to receive serialized log events from another application; a crafted binary payload can be deserialized to execute arbitrary code. The documented impact is remote code execution via ...

9.8CVSS9.5AI score0.8904EPSS
CVE
CVE
added 2020/03/02 3:59 a.m.560 views

CVE-2020-9546

CVE-2020-9546 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interactions involving org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig can lead to deserialization issues. The IBM/Cloudera bulletin references the same CVE and lists a high impact...

9.8CVSS9.2AI score0.04613EPSS
CVE
CVE
added 2020/03/02 3:59 a.m.545 views

CVE-2020-9547

CVE-2020-9547 involves jackson-databind 2.x before 2.9.10.4 where deserialization gadget typing interaction (related to ibatis-sqlmap) enables likely remote code execution. Connected IBM advisories enumerate multiple CBEs in jackson-databind and show affected IBM products; remediation guidance ge...

9.8CVSS9.1AI score0.18671EPSS
In wild
CVE
CVE
added 2021/03/10 8:0 a.m.541 views

CVE-2020-13936

CVE-2020-13936 affects Apache Velocity, where modifying Velocity templates can bypass the sandbox and allow remote code execution with the container’s privileges. Engine versions affected include up to 2.2; IBM and related advisories flag this as a Velocity sandbox bypass leading to arbitrary cod...

9CVSS8.9AI score0.22709EPSS
CVE
CVE
added 2020/03/02 3:58 a.m.523 views

CVE-2020-9548

CVE-2020-9548 affects Cloudera Data Platform Private Cloud Base (IBM) 7.1.9. It is a deserialization vulnerability in FasterXML jackson-databind 2.x up to 2.9.10.3/4 where interaction between serialization gadgets and typing (relating to br.com.anteros.dbcp.AnterosDBCPConfig) can lead to remote c...

9.8CVSS9.1AI score0.18345EPSS
In wild
CVE
CVE
added 2020/05/01 6:55 p.m.505 views

CVE-2020-10683

CVE-2020-10683 is described in IBM Bulletin sources as an XXE vulnerability in the dom4j library, allowing a remote authenticated attacker to obtain sensitive information through XML processing. The issue stems from dom4j handling External DTDs/Entities by default, and multiple IBM entries map th...

9.8CVSS9.2AI score0.07269EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.503 views

CVE-2020-11113

CVE-2020-11113 is a deserialization vulnerability in FasterXML jackson-databind (2.x before 2.9.10.4) tied to typing gadget interactions (notably related to org.apache.openjpa.ee.WASRegistryManagedRuntime). The connected documents corroborate an exploit path via unsafe deserialization leading to ...

8.8CVSS8.3AI score0.06278EPSS
CVE
CVE
added 2018/02/06 3:0 p.m.494 views

CVE-2017-7525

CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...

9.8CVSS9.2AI score0.37925EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.494 views

CVE-2021-21341

CVE-2021-21341 affects the XStream Java library (unmarshalling) prior to 1.4.16. The vulnerability enables a remote attacker to cause a denial-of-service by consuming 100% CPU time via manipulated input streams. Impact is described as CPU denial of service; no user impact if the recommended Secur...

7.5CVSS8.5AI score0.77801EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.492 views

CVE-2021-21342

CVE-2021-21342 affects the Java library XStream (prior to 1.4.16). During unmarshalling, the processed input stream can include type information used to recreate objects, enabling an attacker to inject/replace objects and trigger a server-side forgery. The documented fix is to upgrade to at least...

9.1CVSS7.3AI score0.4999EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.485 views

CVE-2021-21343

CVE-2021-21343 affects XStream (Java) prior to 1.4.16. The vulnerability arises during unmarshalling when the processed input stream carries type information, enabling an attacker to create new instances based on that data and potentially replace or inject objects, including causing local file de...

7.5CVSS7.1AI score0.46666EPSS
CVE
CVE
added 2020/03/18 9:17 p.m.467 views

CVE-2020-10672

CVE-2020-10672 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The issue arises from deserialization gadget/typing interaction (related to org.apache. Aries transaction JMS XaPooledConnectionFactory), enabling high-severity impact on data confidentiality/integrity/availability. Connecte...

8.8CVSS8.3AI score0.02959EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.466 views

CVE-2018-14721

CVE-2018-14721 affects FasterXML jackson-databind 2.x up to 2.9.6 (before 2.9.7). The flaw allows remote attackers to perform SSRF by failing to block axis2-jaxws class during polymorphic deserialization, enabling server-side requests under network access. The vulnerability is tied to the misuse ...

10CVSS9.4AI score0.10458EPSS
CVE
CVE
added 2020/04/07 10:14 p.m.460 views

CVE-2020-11619

CVE-2020-11619 affects Jackson Databind 2.x before 2.9.10.4 and is caused by mishandling the interaction between serialization gadgets and typing (related to spring-aop). This deserialization issue can lead to arbitrary code execution when a crafted JSON is processed, as described in IBM/ISIQ con...

8.1CVSS8AI score0.03607EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.455 views

CVE-2021-21344

Summary: CVE-2021-21344 affects the XStream Java XML serialization library. In versions before 1.4.16, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. The risk is mitigated if the security framework whitelist is properly configured; otherwise the ...

9.8CVSS8AI score0.7598EPSS
CVE
CVE
added 2020/03/26 12:43 p.m.453 views

CVE-2020-10968

CVE-2020-10968 affects FasterXML jackson-databind 2.x before 2.9.10.4. The issue arises from how serialization gadgets interact with typing, specifically related to org.aoju.bus.proxy.provider.remoting.RmiProvider (bus-proxy). The result is a deserialization vulnerability with high impact to conf...

8.8CVSS8.3AI score0.03538EPSS
CVE
CVE
added 2020/05/14 3:57 p.m.450 views

CVE-2020-1945

This CVE (CVE-2020-1945) affects Apache Ant. Connected Arch Linux advisory ASA-202005-15 confirms the vulnerability exists in ant before version 1.10.8-1, where Ant uses java.io.tmpdir for several tasks and can leak sensitive information. The fixcrlf and replaceregexp tasks may copy files from th...

6.3CVSS6.8AI score0.01793EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.448 views

CVE-2020-11111

CVE-2020-11111 involves FasterXML Jackson Databind 2.x before 2.9.10.4, where deserialization gadgets and typing interaction (related to org.apache.activemq.*) are mishandled. This can impact confidentiality, integrity and availability. Affected product is Jackson Databind 2.x prior to 2.9.10.4; ...

8.8CVSS8.3AI score0.03489EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.445 views

CVE-2021-21351

CVE-2021-21351 is an XStream deserialization vulnerability. Connected IBM advisories confirm the issue affects IBM Data Risk Manager (IDRM) and IBM Engineering/Test Management products via bundled XStream versions, with exploitation through unmarshalling to achieve arbitrary code execution. Remed...

9.1CVSS8.1AI score0.82136EPSS
CVE
CVE
added 2020/03/26 12:43 p.m.443 views

CVE-2020-10969

CVE-2020-10969 : Jackson Databind 2.x prior to 2.9.10.4 has a deserialization flaw caused by how serialization gadgets interact with typing (related to javax.swing.JEditorPane). This can enable deserialization of untrusted data with potential remote code execution. The issue is publicly documente...

8.8CVSS8.3AI score0.03473EPSS
CVE
CVE
added 2020/11/16 9:0 p.m.442 views

CVE-2020-26217

XStream (Java) vulnerable to remote code execution via insecure XML deserialization. The issue affects versions before 1.4.14 where processing input streams can lead to arbitrary shell execution. The advisory notes that only users relying on a blocklist are affected, while those using the securit...

9.3CVSS8.2AI score0.85001EPSS
Web
CVE
CVE
added 2020/03/18 9:17 p.m.435 views

CVE-2020-10673

CVE-2020-10673 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The IBM bulletin and the consolidated Jira/Advisory in connected docs describe a deserialization issue where interaction between serialization gadgets and typing (related to com.caucho.config.types.ResourceRef, aka caucho-qu...

8.8CVSS8.3AI score0.07963EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.425 views

CVE-2020-11112

CVE-2020-11112 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interaction is mishandled (related to org.apache.commons.proxy.provider.remoting.RmiProvider). This is a deserialization issue that could enable malicious payload execution; affected prod...

8.8CVSS8.3AI score0.03583EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.421 views

CVE-2021-21345

CVE-2021-21345 affects the XStream Java library. Per connected sources, vulnerable versions are those before 1.4.16, where an attacker with sufficient rights can remotely execute commands on the host by manipulating the processed input stream. The issue is mitigated by upgrading to 1.4.16 or late...

9.9CVSS7.8AI score0.72324EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.420 views

CVE-2021-21346

XStream (Java XML serialization library) has CVE-2021-21346 among a set of 2021-04x vulnerabilities. The issue affects XStream prior to 1.4.16 where processing input streams can lead to remote code execution or related impacts if exploitation occurs, with mitigations including enabling the Securi...

9.8CVSS8.3AI score0.76367EPSS
CVE
CVE
added 2020/01/03 3:35 a.m.419 views

CVE-2019-20330

CVE-2019-20330 affects FasterXML jackson-databind 2.x before 2.9.10.2, which lacks blocking for net.sf.ehcache in deserialization. This is a deserialization-side issue with high–critical impact potential; remediation is to upgrade to jackson-databind 2.9.10.2 or newer as indicated by connected IB...

9.8CVSS9.2AI score0.0864EPSS
CVE
CVE
added 2019/10/12 8:7 p.m.409 views

CVE-2019-17531

CVE-2019-17531 affects FasterXML jackson-databind 2.0.0–2.9.10; when Default Typing is enabled for an externally exposed JSON endpoint and apache-log4j-extra 1.2.x is on the classpath, an attacker capable of providing a JNDI service can trigger remote code execution. Connected documents corrobora...

9.8CVSS9.2AI score0.05329EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.408 views

CVE-2021-21347

CVE-2021-21347 affects XStream Java library (pre-1.4.16). The vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream, with high severity when not using a proper security framework. Guidance across sources indicates u...

9.8CVSS8.3AI score0.14301EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.408 views

CVE-2021-21349

XStream (Java) before 1.4.16 is vulnerable to an input-stream manipulation flaw (CVE-2021-21349) that may allow a remote attacker to access data from internal resources not publicly available. The issue arises from processing the input stream during deserialization. A fix is available in XStream ...

8.6CVSS7.8AI score0.46826EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.406 views

CVE-2018-14720

CVE-2018-14720 affects jackson-databind 2.x prior to 2.9.7, via unsafe polymorphic deserialization that could enable external XML entity (XXE) attacks when failure to block unspecified JDK classes occurs. The connected documents corroborate a fix in 2.9.7 (and related update notes), with multiple...

9.8CVSS9.4AI score0.07524EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.401 views

CVE-2021-36090

CVE-2021-36090 affects Apache Commons Compress zip handling: reading a specially crafted ZIP can allocate excessive memory, causing an out-of-memory DoS. Supported details from IBM/AWS advisories point to a fix in Commons Compress (upgrade to 1.21+; e.g., Amazon Linux advisories list apache-commo...

7.5CVSS7.5AI score0.13292EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.399 views

CVE-2021-21350

CVE-2021-21350 affects the XStream Java library. Connected sources confirm that before version 1.4.16 XStream allowed remote code execution by manipulating the processed input stream, with guidance to enable a security whitelist and upgrade to at least 1.4.16. Debian security advisories (DSA-5004...

9.8CVSS8AI score0.15234EPSS
CVE
CVE
added 2020/04/07 10:14 p.m.393 views

CVE-2020-11620

CVE-2020-11620 : Jackson Databind 2.x before 2.9.10.4 has a deserialization issue arising from how serialization gadgets interact with typing, specifically related to org.apache.commons.jelly.impl.Embedded. This allows potential compromise of confidentiality, integrity, and availability (IBM X-Fo...

8.1CVSS8AI score0.05594EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.389 views

CVE-2021-21348

XStream (Java) before version 1.4.16 is vulnerable to a denial of service where a remote attacker can cause a thread to consume maximum CPU time and not return. Public documents consistently describe the issue as affecting XStream’s XML deserialization, with mitigation requiring upgrading to at l...

7.8CVSS7.2AI score0.13832EPSS
CVE
CVE
added 2021/12/09 12:0 a.m.350 views

CVE-2021-43797

CVE-2021-43797 : Netty prior to 4.1.71.Final fails to validate control chars at the start/end of header names, allowing HTTP request smuggling via crafted transfer-encoding/headers. This can enable the proxy to sanitize header names and forward malformed requests to remote systems that may not re...

6.5CVSS7.8AI score0.02682EPSS
CVE
CVE
added 2019/10/23 7:27 p.m.345 views

CVE-2019-12415

CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...

5.5CVSS6.7AI score0.0099EPSS
CVE
CVE
added 2019/10/01 4:6 p.m.344 views

CVE-2019-16943

CVE-2019-16943 affects FasterXML jackson-databind (versions 2.0.0–2.9.10) via a polymorphic typing flaw that, when Default Typing is enabled for an exposed JSON endpoint and a p6spy P6DataSource is present in the classpath with an accessible RMI endpoint, can lead to remote code execution. The ro...

9.8CVSS9.3AI score0.04861EPSS
CVE
CVE
added 2019/10/10 9:4 p.m.335 views

CVE-2019-17495

CVE-2019-17495 is a CSS injection flaw in Swagger UI prior to 3.23.11 using the Relative Path Overwrite (RPO) technique that can lead to exfiltration of sensitive data (e.g., CSRF tokens) via CSS-based input field values. Concrete details across connected docs show multiple IBM advisories referen...

9.8CVSS9.3AI score0.0558EPSS
CVE
CVE
added 2019/10/01 4:4 p.m.323 views

CVE-2019-16942

CVE-2019-16942 affects FasterXML jackson-databind 2.0.0–2.9.10. When Default Typing is enabled for an externally exposed JSON endpoint and the service includes the commons-dbcp 1.4 jar on the classpath, with an accessible RMI endpoint, the vulnerability can allow execution of a malicious payload ...

9.8CVSS9.4AI score0.05681EPSS
Total number of security vulnerabilities72