15 matches found
CVE-2021-29425
CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...
CVE-2020-9488
CVE-2020-9488 affects the Apache Log4j2 SMTP appender. The issue is improper validation of the SSL/TLS certificate when the host name does not match, potentially allowing a man-in-the-middle to intercept SMTPS traffic and leak log messages. The concrete remediation is to upgrade to affected relea...
CVE-2020-10683
CVE-2020-10683 is described in IBM Bulletin sources as an XXE vulnerability in the dom4j library, allowing a remote authenticated attacker to obtain sensitive information through XML processing. The issue stems from dom4j handling External DTDs/Entities by default, and multiple IBM entries map th...
CVE-2019-10247
CVE-2019-10247 affects Eclipse Jetty when configured to list contexts in 404 responses. Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older disclose the fully qualified directory base resource location in the HTML output of a not-found Context, via the DefaultHandler...
CVE-2020-27216
CVE-2020-27216 affects Eclipse Jetty in Unix-like environments across versions 1.0–9.4.32.v20200930, 10.0.0.alpha1–10.0.0.beta2, and 11.0.0.alpha1–11.0.0.beta2O. It describes a race condition where the system temporary directory is shared among users, allowing a collocated user to observe the cre...
CVE-2019-0227
The CVE-2019-0227 entry concerns an SSRF in Apache Axis 1.4 (last released in 2006). The connected IBM bulletins confirm Axis 1.x vulnerability details and state Axis 2 is the successor, with 1.7.9 (Axis2) being not vulnerable. Affected Axis 1.x components are legacy; remediation is to upgrade to...
CVE-2018-8032
CVE-2018-8032 affects Apache Axis 1.x (up to 1.4) with a cross-site scripting (XSS) vulnerability in the default servlet/services. This vulnerability is documented in IBM/PM security bulletins linked to Axis, confirming an XSS flaw (CWE-79) in Axis 1.x and indicating broader IBM product exposure....
CVE-2019-10241
CVE-2019-10241 affects Eclipse Jetty prior to specific release lines: 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older. The vulnerability is an XSS due to improper validation of user-supplied input by DefaultServlet and ResourceHandler when a remote client uses a specially crafted URL to ...
CVE-2019-10246
CVE-2019-10246 is described in connected IBM security bulletins as an Eclipse Jetty vulnerability where a server configured to Listing directory contents could expose the fully-qualified Base Resource directory name to remote clients, potentially revealing sensitive information. IBM Cognos Analyt...
CVE-2016-8324
The CVE-2016-8324 entry affects Oracle FLEXCUBE Core Banking (subcomponent: Core) with affected versions 5.1.0, 5.2.0, and 11.5.0. Root cause details are not explicitly provided in the documents, but the vulnerability enables an unauthenticated attacker with network access via HTTP to read data f...
CVE-2016-8322
CVE-2016-8322 affects Oracle FLEXCUBE Core Banking (subcomponent: Core). Affected versions are 5.1.0, 5.2.0 and 11.5.0. The vulnerability allows a low-privilege, network-accessible attacker (HTTP) to read a subset of data in the Core Banking component. The CVSS v3 base score is 4.3 (Confidentiali...
CVE-2018-2807
The CVE-2018-2807 entry affects Oracle Financial Services Applications’ FLEXCUBE Core Banking, Securities subcomponent, specifically versions 11.5.0, 11.6.0, and 11.7.0. The vulnerability allows an unauthenticated attacker with network access via HTTP to compromise FLEXCUBE Core Banking, with att...
CVE-2016-8314
CVE-2016-8314 affects Oracle FLEXCUBE Core Banking (subcomponent: Core). Affected versions are 5.1.0, 5.2.0 and 11.5.0. The vulnerability is exploitable by a low-privileged attacker with network access over HTTP and can lead to unauthorized read access to a subset of data in Oracle FLEXCUBE Core ...
CVE-2016-8323
CVE-2016-8323 affects Oracle FLEXCUBE Core Banking (Core subcomponent) in Oracle Financial Services Applications. Affected versions: 5.1.0, 5.2.0, 11.5.0. Vulnerability allows a low-privilege, network-accessing attacker over HTTP to perform unauthorized updates/inserts/deletes and read access to ...
CVE-2020-2955
CVE-2020-2955 affects Oracle FLEXCUBE Core Banking, specifically the Transaction Processing component, in version 4.0. The vulnerability allows a low-privileged attacker with network access via HTTP to update, insert, or delete data and to read data, with a partial denial of service against FLEXC...