Communications Unified Inventory Management Security Vulnerabilities and Issues — Communications Unified Inventory Management CVE List

Lucene search

OracleCommunications Unified Inventory Management

10 matches found

CVE•added 2020/12/03 5:15 p.m.•525 views

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

7.5CVSS7.3AI score0.00011EPSS

CVE•added 2020/05/01 7:15 p.m.•452 views

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

9.8CVSS9.2AI score0.02443EPSS

CVE•added 2020/04/27 4:15 p.m.•419 views

CVE-2020-9488

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

4.3CVSS6AI score0.00022EPSS

CVE•added 2020/10/01 8:15 p.m.•277 views

CVE-2020-11979

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effor...

7.5CVSS6.9AI score0.00591EPSS

CVE•added 2020/12/27 5:15 a.m.•269 views

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

8.1CVSS7.7AI score0.39669EPSS

CVE•added 2020/09/17 7:15 p.m.•262 views

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

8.1CVSS7.7AI score0.02107EPSS

CVE•added 2020/09/19 4:15 a.m.•261 views

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

8.7CVSS7.2AI score0.59873EPSS

CVE•added 2020/12/17 7:15 p.m.•234 views

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

8.1CVSS7.7AI score0.06892EPSS

CVE•added 2020/12/17 7:15 p.m.•226 views

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

8.1CVSS7.7AI score0.04749EPSS

CVE•added 2020/08/25 6:15 p.m.•194 views

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

8.1CVSS7.7AI score0.03783EPSS