Lucene search
K
OracleCommerce Guided Search

52 matches found

CVE
CVE
added 2022/03/03 12:0 a.m.2149 views

CVE-2022-22947

CVE-2022-22947 affects Spring Cloud Gateway when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker can craft a request to the Actuator interface and cause arbitrary remote code execution on the host due to a code-injection vulnerability in the gateway routing/Act...

10CVSS9.7AI score0.98253EPSS
In wild
CVE
CVE
added 2020/12/10 10:10 p.m.1022 views

CVE-2020-8908

CVE-2020-8908 (Guava) : A temp directory creation vulnerability exists in all Guava versions where guava’s API com.google.common.io.Files.createTempDir() creates temporary directories that are world-readable on Unix-like systems. The issue arises because the temp dir permissions are not restricte...

3.3CVSS6.3AI score0.00964EPSS
CVE
CVE
added 2020/07/14 3:0 p.m.974 views

CVE-2020-13935

CVE-2020-13935 affects Apache Tomcat: the WebSocket frame payload length was not properly validated, which could trigger an infinite loop and allow DoS via multiple invalid payloads. Affected: Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104. The initial d...

7.5CVSS7.5AI score0.87553EPSS
CVE
CVE
added 2020/12/02 4:20 p.m.889 views

CVE-2020-13956

CVE-2020-13956 affects Apache HttpClient prior to 4.5.13 and 5.0.3. A malformed authority component in request URIs, when passed as a java.net.URI, can cause the client to misinterpret the target host and execute the request against an unintended host. This represents a misrouting vulnerability i...

5.3CVSS5.9AI score0.08665EPSS
CVE
CVE
added 2021/08/23 12:0 a.m.852 views

CVE-2021-39144

CVE-2021-39144 refers to a remote code execution vulnerability in XStream, a Java library for XML serialization. When processed input streams are manipulated, an attacker with sufficient rights could execute arbitrary commands on the host. Public descriptions consistently note that XStream now us...

8.5CVSS9AI score0.98124EPSS
In wild
CVE
CVE
added 2021/09/19 12:0 a.m.721 views

CVE-2021-40690

The CVE-2021-40690 issue affects Apache Santuario – XML Security for Java. All versions prior to 2.2.3 and 2.1.7 are vulnerable due to the "secureValidation" property not being passed when creating a KeyInfo from a KeyInfoReference element, enabling an XPath Transform abuse to extract local .xml ...

7.5CVSS7.4AI score0.10448EPSS
CVE
CVE
added 2021/04/13 6:50 a.m.633 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2021/03/25 2:25 p.m.564 views

CVE-2021-3450

CVE-2021-3450 affects OpenSSL 1.1.1h–1.1.1j where a bug in the X509_V_FLAG_X509_STRICT path overwrote a prior CA-check result, bypassing the non-CA certificates prohibition unless a programmed purpose is used. When a purpose is configured, the certificate chain is still rejected; the issue is fix...

7.4CVSS7.6AI score0.18339EPSS
CVE
CVE
added 2021/09/29 12:0 a.m.495 views

CVE-2021-22947

CVE-2021-22947 affects curl when connecting to IMAP/POP3 servers using STARTTLS: multiple responses are cached before TLS, and after upgrading to TLS curl may trust pre‑TLS data, enabling a MITM injection of data. Affected releases range from curl 7.20.0 up to 7.78.0; exploitation details are not...

5.9CVSS7AI score0.02799EPSS
CVE
CVE
added 2021/11/17 12:0 a.m.482 views

CVE-2021-41164

CKEditor4 contains an Advanced Content Filter (ACF) vulnerability (CVE-2021-41164) that allows injection of malformed HTML bypassing sanitization, enabling JavaScript execution. Affected: CKEditor4

8.2CVSS6.2AI score0.01257EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.477 views

CVE-2021-37136

CVE-2021-37136 : The Bzip2 decompression decoder can set no limit on the decompressed output size, affecting all Bzip2Decoder users. This under- or over-allocates memory during decompression and can trigger an OutOfMemoryError, enabling DoS. Connected IBM/ASTRA entries reiterate the same descript...

7.5CVSS7.4AI score0.05651EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.435 views

CVE-2021-37137

CVE-2021-37137 involves Netty’s Snappy frame decoding where the SnappyFrameDecoder does not restrict the chunk length, enabling potential excessive memory usage. The issue can be triggered by crafted input that decompresses to a very large size (via network streams or files) or by sending a very ...

7.5CVSS7.4AI score0.0628EPSS
CVE
CVE
added 2021/09/29 12:0 a.m.413 views

CVE-2021-22946

CVE-2021-22946 affects curl before 7.82.0 (and within 7.20.0–7.78.0 per description) where the --ssl-reqd option or CURLUSESSL controls could be bypassed if a server crafts a legitimate response, allowing curl to continue without TLS. Connected sources confirm this flaw exists across multiple eco...

7.5CVSS7.6AI score0.04224EPSS
CVE
CVE
added 2021/08/23 5:50 p.m.405 views

CVE-2021-39139

CVE-2021-39139 affects XStream, a Java XML serialization library. The vulnerability allows a remote attacker to load and execute arbitrary code by manipulating the processed input stream; exploitation depends on the affected XStream version and runtime behavior. Connected advisories confirm XStre...

8.8CVSS8.8AI score0.0454EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.400 views

CVE-2021-36090

CVE-2021-36090 affects Apache Commons Compress zip handling: reading a specially crafted ZIP can allocate excessive memory, causing an out-of-memory DoS. Supported details from IBM/AWS advisories point to a fix in Commons Compress (upgrade to 1.21+; e.g., Amazon Linux advisories list apache-commo...

7.5CVSS7.5AI score0.13292EPSS
CVE
CVE
added 2021/08/12 5:10 p.m.389 views

CVE-2021-32809

CVE-2021-32809 concerns CKEditor 4’s Clipboard functionality. Affected: CKEditor 4, Clipboard plugin, version >= 4.5.2. Root cause: HTML injected via malformed paste content could be executed within the editor’s context. Impact: potential HTML injection into the editor content (code injection ...

5.4CVSS5.8AI score0.01188EPSS
CVE
CVE
added 2020/12/18 12:52 a.m.384 views

CVE-2020-28052

CVE-2020-28052 — BC Java OpenBSDBCrypt.password check issue : In Legion of the Bouncy Castle BC Java versions 1.65 and 1.66, the OpenBSDBCrypt.checkPassword method can compare data incorrectly during password verification, causing some incorrect passwords to be treated as a match for different, p...

8.1CVSS7.7AI score0.0714EPSS
CVE
CVE
added 2021/08/23 6:20 p.m.383 views

CVE-2021-39152

CVE-2021-39152 concerns the XStream Java XML serialization library. The vulnerability allows a remote attacker to request data from internal resources not publicly available by manipulating the processed input stream, impacting systems using affected XStream versions when running Java runtimes ar...

8.5CVSS8.6AI score0.11468EPSS
In wild
CVE
CVE
added 2020/01/15 4:34 p.m.382 views

CVE-2020-2604

CVE-2020-2604 affects Oracle Java SE/Java SE Embedded Serialization. Affected: Java SE 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded 8u231. Described impact: unauthenticated, network-based attacker can take over the Java environment; high confidentiality, integrity, and availability impact (CVSS...

8.1CVSS7.7AI score0.04903EPSS
CVE
CVE
added 2021/08/23 5:55 p.m.382 views

CVE-2021-39151

CVE-2021-39151 is part of a family of vulnerabilities in XStream, a Java library used for XML serialization. The connected documents confirm that, in affected versions, an attacker can load and execute arbitrary code on a remote host by manipulating the processed input stream, with no user intera...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.363 views

CVE-2021-39141

The CVE-2021-39141 entry concerns the XStream Java library, where an attacker can load and execute arbitrary code by manipulating the processed input stream. Affected versions permit code execution from a remote host; mitigation is to upgrade to XStream 1.4.18, which replaces a reliance on blackl...

8.5CVSS8.8AI score0.16118EPSS
CVE
CVE
added 2021/08/23 6:15 p.m.358 views

CVE-2021-39140

CVE-2021-39140 affects the XStream Java library. Connected sources describe a vulnerability in XStream up to version 1.4.18 that may allow a remote attacker to cause 100% CPU denial-of-service by manipulating the input stream; no user interaction required. Affected platforms reference upstream be...

6.5CVSS7.3AI score0.05918EPSS
CVE
CVE
added 2021/08/23 6:20 p.m.358 views

CVE-2021-39150

XStream Java library (xstream) is affected by CVE-2021-39150. The flaw arises when processing the input stream, potentially allowing a remote attacker to access internal resources not publicly available. Affected description notes impact across Java runtimes from 14 to 8, and emphasizes that enab...

8.5CVSS8.6AI score0.03437EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.350 views

CVE-2021-39145

The CVE-2021-39145 vulnerability affects the XStream Java library. In affected versions, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. Public advisories reference XStream updates (e.g., Fedora, Debian, Amazon Linux 2) and indicate remediation th...

8.5CVSS8.8AI score0.04065EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.350 views

CVE-2021-39146

CVE-2021-39146 is an XStream deserialization vulnerability that has been addressed in multiple IBM advisories. The issue allows remote code execution via unsafe object deserialization in XStream across products that bundle the library (e.g., Atlas eDiscovery Process Management, ITNCM, IBM Spectru...

8.5CVSS8.8AI score0.143EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.342 views

CVE-2021-39149

CVE-2021-39149 affects the XStream Java serialization library. The vulnerability permits a remote attacker to load and execute arbitrary code by manipulating the processed input stream. The issue is tied to XStream’s input handling and the move away from blacklist-based security (1.4.18), relying...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.336 views

CVE-2021-39147

CVE-2021-39147 relates to XStream, a Java library for XML serialization. Publicly available documents confirm a remote code execution risk when processing input streams, with XStream 1.4.18 and related releases susceptible unless mitigations are applied. Connected sources describe the root cause ...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/12 11:10 p.m.333 views

CVE-2021-37695

CKEditor 4 vulnerability CVE-2021-37695 involves the Fake Objects addon. The issue allows injection of malformed Fake Objects HTML that can lead to JavaScript execution in affected CKEditor 4 plugins when used at versions prior to 4.16.2. Public references in connected documents confirm the affec...

7.3CVSS6AI score0.01324EPSS
CVE
CVE
added 2021/08/23 5:50 p.m.331 views

CVE-2021-39154

XStream (Java) vulnerability CVE-2021-39154: in affected XStream releases (e.g., 1.4.18) a remote attacker can load and execute arbitrary code by manipulating the input stream. Multiple advisories (Debian, Fedora, Amazon Linux 2 ALAS, etc.) reference the same CVE family and urge upgrading libxstr...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.324 views

CVE-2021-35515

CVE-2021-35515 is an infinite-loop denial-of-service in Apache Commons Compress when reading a crafted 7Z archive. The issue arises during the construction of the codecs list used to decompress an entry, potentially consuming unbounded CPU and impacting services that rely on the sevenz package. C...

7.5CVSS7.2AI score0.11879EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.317 views

CVE-2021-35517

CVE-2021-35517 affects Apache Commons Compress tar handling. The vulnerability, triggered by reading a specially crafted TAR archive, can cause Compress to allocate excessive memory, potentially leading to an out-of-memory condition and a denial-of-service against services using Compress’ tar pac...

7.5CVSS7.5AI score0.10901EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.314 views

CVE-2021-39148

Summary: CVE-2021-39148 affects XStream, a Java XML-serialization library. Multiple connected advisories confirm a remote code-execution risk by manipulating the processed input stream, with the attacker able to load and execute arbitrary code from a remote host. The issue is tied to how XStream ...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.298 views

CVE-2021-35516

CVE-2021-35516 affects Apache Commons Compress (the sevenz package). A specially crafted 7Z archive can cause the library to allocate excessive memory, ultimately causing an out-of-memory condition and a denial-of-service on services that use Compress’ sevenz component. The initial description do...

7.5CVSS7.3AI score0.12697EPSS
CVE
CVE
added 2019/11/08 2:46 p.m.294 views

CVE-2019-10219

The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...

6.5CVSS6AI score0.02167EPSS
CVE
CVE
added 2021/05/27 2:48 p.m.291 views

CVE-2021-22118

CVE-2021-22118 affects the Spring Framework WebFlux component. The vulnerability exists in Spring Framework versions: 5.2.x prior to 5.2.15 and 5.3.x prior to 5.3.7. An authenticated local attacker can exploit a flaw tied to (re)creating the temporary storage directory to read or modify files upl...

7.8CVSS7.5AI score0.00396EPSS
CVE
CVE
added 2020/09/19 3:45 a.m.290 views

CVE-2020-5421

CVE-2020-5421 affects Spring Framework releases across multiple lines (5.2.x to 5.0.x, 4.3.x and older). The issue arises from improper input handling of the jsessionid path parameter, which may bypass RFD Protection and weaken security controls. Affected products reference VMware Tanzu Spring Fr...

8.7CVSS7.2AI score0.10736EPSS
CVE
CVE
added 2022/02/01 12:8 p.m.273 views

CVE-2021-43859

XStream Java library (versions before 1.4.19) is vulnerable to a remote DoS via crafted input streams that can cause 100% CPU, depending on CPU type/parallelism. The fix is upgrading to XStream 1.4.19, which monitors element-adding times and throws an exception when a threshold is exceeded; a NO_...

7.5CVSS7.5AI score0.07934EPSS
CVE
CVE
added 2021/08/12 4:25 p.m.272 views

CVE-2021-32808

CKEditor 4.x clipboard Widget plugin vulnerability (CVE-2021-32808) arises from improper validation of widget HTML when used with the undo feature, allowing a remote attacker to trigger JavaScript execution in the victim’s browser. Affected: CKEditor 4 plugins with version >= 4.13.0. Remediati...

7.6CVSS6.1AI score0.01192EPSS
CVE
CVE
added 2019/11/06 8:18 p.m.254 views

CVE-2019-12419

CVE-2019-12419 affects Apache CXF OpenId Connect token service prior to CXF 3.3.4 and 3.2.11, where the authenticated principal is not validated against the supplied clientId in the request. This could allow an attacker who obtained an authorization code for one client to exchange it for an acces...

9.8CVSS9.1AI score0.13836EPSS
CVE
CVE
added 2020/01/16 5:50 p.m.243 views

CVE-2019-17573

CVE-2019-17573 is an XSS vulnerability in Apache CXF affecting WebSphere Application Server Liberty’s WebSphere JAX-WS components via the CXF /services listing page. Public docs confirm the issue and cite the vulnerable surface as CXF’s endpoint listing, with exploitation potentially executing sc...

6.1CVSS5.7AI score0.07055EPSS
CVE
CVE
added 2019/11/06 8:7 p.m.222 views

CVE-2019-12406

CVE-2019-12406 describes a denial-of-service in Apache CXF where a message can include an excessive number of attachments. The fixed releases (CXF 3.3.4 and 3.2.11) enforce a default attachment limit of 50, configurable via the attachment-max-count property. IBM/materials reference CXF and note a...

6.5CVSS6.3AI score0.06257EPSS
CVE
CVE
added 2021/11/17 7:15 p.m.221 views

CVE-2021-41165

CKEditor4 core HTML processing vulnerability (CVE-2021-41165) allows injection of malformed HTML comments bypassing content sanitization, potentially enabling JavaScript execution. Affected: CKEditor 4.x versions before 4.17.0 (affects all plugins). Impact: execution of arbitrary script in affect...

8.2CVSS6.2AI score0.0147EPSS
CVE
CVE
added 2020/01/16 5:42 p.m.184 views

CVE-2019-12423

CVE-2019-12423 affects Apache CXF OpenId Connect JWK Keys service. When rs.security.keystore.type is set to “jwk”, the service may return all keys from the JWK file, potentially exposing private/secret key credentials if present, though newer CXF releases restrict to the key with the matching ali...

7.5CVSS7.2AI score0.0606EPSS
CVE
CVE
added 2022/03/04 3:50 p.m.164 views

CVE-2022-22946

CVE-2022-22946 affects Spring Cloud Gateway versions prior to 3.1.1+. When HTTP/2 is enabled and there is no key store or trusted certificates, the gateway may be configured to use an insecure TrustManager, allowing connections to remote services with invalid or custom certificates. Affected comp...

5.5CVSS5.7AI score0.04846EPSS
CVE
CVE
added 2020/08/30 7:15 a.m.129 views

CVE-2020-7712

CVE-2020-7712—Initial public details: the vulnerability in json package prior to 10.0.0 enables arbitrary command injection via parseLookup. Connected data from a Nessus plugin (Oracle Siebel Server <= 22.5) cites the CVE and describes a vulnerability in Siebel CRM (component: Loging/APache Zo...

7.2CVSS7AI score0.03727EPSS
CVE
CVE
added 2022/04/19 8:38 p.m.100 views

CVE-2022-21466

CVE-2022-21466 affects Oracle Commerce Guided Search (Tools and Frameworks) in Oracle Commerce 11.3.2. The vulnerability allows an unauthenticated, network-accessible attacker via HTTP to access or compromise Oracle Commerce Guided Search, with Confidentiality impact described as High and other i...

7.5CVSS7.5AI score0.01785EPSS
CVE
CVE
added 2020/07/15 5:34 p.m.60 views

CVE-2020-14536

The CVE-2020-14536 entry concerns Oracle Commerce Guided Search / Oracle Commerce Experience Manager (Workbench) with affected versions 11.0, 11.1, 11.2 and prior to 11.3.1. The vulnerability details a difficult-to-exploit issue that allows an unauthenticated attacker, over HTTP, to compromise th...

7.4CVSS7.5AI score0.01596EPSS
CVE
CVE
added 2021/07/20 10:43 p.m.50 views

CVE-2021-2345

CVE-2021-2345 affects Oracle Commerce Guided Search and Oracle Commerce Experience Manager (Tools and Frameworks) with a vulnerability in version 11.3.1.5. The issue allows a low-privilege, network-accessible attacker (HTTP) to compromise the product, requiring user interaction, and potentially l...

5.4CVSS4.9AI score0.00651EPSS
CVE
CVE
added 2021/07/20 10:43 p.m.48 views

CVE-2021-2346

CVE-2021-2346 affects Oracle Commerce Guided Search / Oracle Commerce Experience Manager (Tools and Frameworks) with affected version 11.3.1.5. The vulnerability is exploitable over HTTP by a low-privilege attacker on the network; successful attacks require human interaction and can lead to unaut...

5.4CVSS4.9AI score0.00511EPSS
CVE
CVE
added 2021/07/20 10:43 p.m.45 views

CVE-2021-2348

CVE-2021-2348 affects Oracle Commerce Guided Search / Oracle Commerce Experience Manager (Tools and Frameworks), version 11.3.1.5. The vulnerability allows a low-privileged, network-authenticated attacker to read a subset of data via HTTP, indicating a confidentiality impact. Descriptions across ...

4.3CVSS3.4AI score0.0086EPSS
Total number of security vulnerabilities52