25 matches found
CVE-2020-11022
CVE-2020-11022 affects jQuery versions >=1.2 and =3.5.0 or apply vendor guidance where applicable.
CVE-2015-9251
CVE-2015-9251 affects jQuery before 3.0.0, enabling XSS when a cross-domain Ajax request omits the dataType option and text/javascript responses are executed. Connected advisories confirm the issue and indicate an upgrade resolves it; remediation is to upgrade jQuery to a fixed version as provide...
CVE-2019-11358
CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...
CVE-2021-4104
CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...
CVE-2021-45105
Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...
CVE-2022-23302
CVE-2022-23302 affects Log4j 1.x JMSSink. TheDeserialization flaw allows remote code execution when an attacker can write to the Log4j configuration or when the configuration references an LDAP service the attacker controls. JMSSink can be triggered via a TopicConnectionFactoryBindingName to caus...
CVE-2022-23307
CVE-2022-23307 concerns a deserialization vulnerability in the Chainsaw component of Apache Log4j 1.x (Chainsaw bundled with Log4j 1.2.x). The root cause is unsafe deserialization of untrusted data via Chainsaw, allowing potential code execution. Multiple Atlassian products initially bundled Chai...
CVE-2022-23305
CVE-2022-23305 concerns Apache Log4j 1.x when configured with JDBCAppender: an SQL statement is built from a PatternLayout-converted value (notably %m), allowing an attacker to craft input to alter and potentially execute SQL. The issue is specific to Log4j 1.x if JDBCAppender is used; JDBCAppend...
CVE-2017-5645
CVE-2017-5645 affects Apache Log4j 2.x prior to 2.8.2. The vulnerability arises when using a TCP/UDP socket server to receive serialized log events from another application; a crafted binary payload can be deserialized to execute arbitrary code. The documented impact is remote code execution via ...
CVE-2020-10683
CVE-2020-10683 is described in IBM Bulletin sources as an XXE vulnerability in the dom4j library, allowing a remote authenticated attacker to obtain sensitive information through XML processing. The issue stems from dom4j handling External DTDs/Entities by default, and multiple IBM entries map th...
CVE-2018-14721
CVE-2018-14721 affects FasterXML jackson-databind 2.x up to 2.9.6 (before 2.9.7). The flaw allows remote attackers to perform SSRF by failing to block axis2-jaxws class during polymorphic deserialization, enabling server-side requests under network access. The vulnerability is tied to the misuse ...
CVE-2018-14720
CVE-2018-14720 affects jackson-databind 2.x prior to 2.9.7, via unsafe polymorphic deserialization that could enable external XML entity (XXE) attacks when failure to block unspecified JDK classes occurs. The connected documents corroborate a fix in 2.9.7 (and related update notes), with multiple...
CVE-2019-12415
CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...
CVE-2018-14718
CVE-2018-14718 affects FasterXML jackson-databind 2.x (pre-2.9.7). Description: remote code execution via deserialization due to failure to block the slf4j-ext class from polymorphic deserialization. IBM watsonx.data is listed as affected (versions 1.0.0–2.0.0 in some bulletins; later bulletins s...
CVE-2019-12402
CVE-2019-12402 affects Apache Commons Compress 1.15–1.18, where the internal file-name encoding can loop infinitely and cause DoS when processing crafted archives. Connected docs show multiple vendors referencing this CVE in product advisories (e.g., Atlassian Confluence with dependency notes; IB...
CVE-2018-14719
CVE-2018-14719 involves FasterXML Jackson Databind 2.x up to but before 2.9.7. The root cause is failure to block polymorphic deserialization of certain gadgets (blaze-ds-opt/blaze-ds-core), enabling remote code execution if the gadget classes can be reached. The IBM bulletin references Jackson D...
CVE-2017-10273
CVE-2017-10273: Oracle JDeveloper in Oracle Fusion Middleware Deployment is affected by a directory traversal vulnerability. Affected versions include 11.1.1.7.0/7.1/9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0. The issue allows a high-privilege attacker with logon to compromise JDeveloper, with impac...
CVE-2017-3255
CVE-2017-3255 affects Oracle JDeveloper (ADF Faces within Oracle Fusion Middleware). Affected versions include 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability enables unauthenticated, network-accessible information disclosure over HTTP, pot...
CVE-2016-3504
CVE-2016-3504 is an unspecified vulnerability in the Oracle JDeveloper component of Oracle Fusion Middleware (versions 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0) that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to ADF Faces. ...
CVE-2018-2711
CVE-2018-2711 affects the Oracle JDeveloper component of Oracle Fusion Middleware (Security Framework). Affected versions include 11.1.1.2.4, 11.1.1.7.x, 11.1.1.9.0 and 12.1.3.0.0. An unauthenticated attacker with network access via HTTP can exploit this vulnerability to compromise JDeveloper and...
CVE-2005-2291
CVE-2005-2291 : Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 pass the cleartext password as a parameter when starting sqlplus, enabling local users to gain sensitive information. The connected documents confirm the affected products and the root cause (password passed in cleartext as a startup para...
CVE-2019-2899
CVE-2019-2899 affects Oracle JDeveloper and ADF (OAM component) in Oracle Fusion Middleware. Affected versions: 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0. The vulnerability is due to insufficient access control in OAM, allowing a high-privilege attacker with network access via HTTP to compro...
CVE-2005-2292
CVE-2005-2292 : Oracle JDeveloper versions 9.0.4, 9.0.5, and 10.1.2 store cleartext passwords in IDEConnections.xml, XSQLConfig.xml, and settings.xml. The issue allows local users to obtain sensitive information from these configuration files. The connected documents confirm the affected products...
CVE-2008-2623
CVE-2008-2623 affects the Oracle Application Server 10.1.2.3 JDeveloper component. The vulnerability is described as unspecified and affects confidentiality via unknown vectors, with local access as the attack vector and a low impact (C/P I/N/A). The provided sources identify the affected product...
CVE-2008-2588
CVE-2008-2588 affects Oracle Application Server 10.1.2.2, specifically the Oracle JDeveloper component. The vulnerability is described as an unspecified local-privilege issue that could affect confidentiality via unknown vectors. The NVD entry assigns a LOW base score (2.1) with Local attack vect...