34 matches found
CVE-2020-11023
The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...
CVE-2019-11358
CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...
CVE-2021-41182
CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...
CVE-2021-41184
CVE-2021-41184 describes an XSS in jQuery-UI before 1.13.0 where untrusted input passed to the of option of the .position() utility could lead to code execution. The connected documents confirm the issue affects jQuery-UI embedded in other software (e.g., OTRS/IU contexts) and state the fix is to...
CVE-2021-29425
CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...
CVE-2021-41183
CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...
CVE-2021-28165
The CVE-2021-28165 issue affects Eclipse Jetty versions 7.2.2–9.4.38, 10.0.0.alpha0–10.0.1, and 11.0.0.alpha0–11.0.1, where handling a large invalid TLS frame can cause CPU usage to reach 100%, leading to resource exhaustion. The underlying cause is described as abnormal processing after receivin...
CVE-2021-28169
CVE-2021-28169 affects Eclipse Jetty shipped with multiple versions (<= 9.4.40, <= 10.0.2,
CVE-2020-27218
CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...
CVE-2020-27223
CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...
CVE-2021-34429
CVE-2021-34429 affects Eclipse Jetty: 9.4.37–9.4.42, 10.0.1–10.0.5, and 11.0.1–11.0.5. A vulnerability allows crafting certain encoded URIs to access WEB-INF content and bypass some security constraints, constituting a variation of CVE-2021-28164. Public references in connected docs describe this...
CVE-2021-34428
CVE-2021-34428 affects Eclipse Jetty up to 9.4.40, 10.0.2, and 11.0.2. The root cause is an exception in SessionListener#sessionDestroyed() that prevents the session ID from being invalidated in the session ID manager, which in clustered deployments can leave a user session active on a shared mac...
CVE-2017-7657
CVE-2017-7657 affects Eclipse Jetty: transfer-encoding chunk size parsing could overflow an integer, causing large chunks to be treated as smaller ones and enabling a fake pipelined request that bypasses intermediary authorization. Affected versions include Jetty 9.2.x and older, 9.3.x (all confi...
CVE-2019-10219
The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...
CVE-2019-10241
CVE-2019-10241 affects Eclipse Jetty prior to specific release lines: 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older. The vulnerability is an XSS due to improper validation of user-supplied input by DefaultServlet and ResourceHandler when a remote client uses a specially crafted URL to ...
CVE-2017-7658
In CVE-2017-7658, Eclipse Jetty had a flaw in how it handles HTTP requests when multiple Content-Length headers are present or when a Content-Length header accompanies a chunked encoding header. This could allow a forged or pipelined request to bypass intermediary authorization if the shorter len...
CVE-2026-46840
CVE-2026-46840 affects Oracle REST Data Services (Backend-as-a-Service). Affected versions are 24.2.0–26.1.0. An unauthenticated attacker with network access via HTTPS can compromise ORDS, with potential takeover and full impact on related products. CVSS 3.1 base score is 10.0 (C/I/A = High). The...
CVE-2017-9735
CVE-2017-9735 affects Jetty (Jetty 9.x family) via a timing-channel flaw in util/security/Password.java, enabling a remote attacker to infer sensitive information by measuring response times to incorrect password attempts. The issue can lead to unauthorized access and is described with a CVSS bas...
CVE-2019-10246
CVE-2019-10246 is described in connected IBM security bulletins as an Eclipse Jetty vulnerability where a server configured to Listing directory contents could expose the fully-qualified Base Resource directory name to remote clients, potentially revealing sensitive information. IBM Cognos Analyt...
CVE-2021-32013
Affected software: SheetJS and SheetJS Pro up to version 0.16.9. Issue: memory consumption denial of service when reading a crafted .xlsx file via xlsx.js (issue 2 of 2). Impact: DoS due to parsing/memory handling. Remediation: upgrade to SheetJS/xlsx 0.17.0 or higher. Public references in connec...
CVE-2021-32014
SheetJS Pro up to version 0.16.9 is affected: reading a crafted .xlsx with xlsx.js can cause a denial of service via CPU consumption. The issue is documented across multiple sources (NVD, Red Hat, npm advisory, OSV) and is mitigated by upgrading to 0.17.0 or later. Affected product: SheetJS (and ...
CVE-2021-32012
CVE-2021-32012 affects SheetJS and SheetJS Pro up to version 0.16.9. A crafted .xlsx document read by xlsx.js can cause a denial of service via memory consumption (issue 1 of 2). Exploitation details are described in the connected documents; the attack targets the XSLX reader logic. Mitigation: u...
CVE-2026-46839
CVE-2026-46839 affects Oracle REST Data Services (ORDS) Core. Affected versions are 24.2.0–26.1.0. The vulnerability allows a low-privileged attacker with network access via HTTPS to compromise ORDS and can lead to takeover, with CVSS v3.1 base score 9.9 (CRITICAL) and impact to Confidentiality, ...
CVE-2025-30756
The CVE-2025-30756 entry concerns Oracle REST Data Services (ORDS) version 24.2.0. Aware from the PT-2025-29607 entry, an easily exploitable issue allows an unauthenticated attacker with network access via HTTP to compromise ORDS; exploitation requires human interaction from a user other than the...
CVE-2020-14745
CVE-2020-14745 affects Oracle REST Data Services (ORDS) General component. Affected versions include 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, and Standalone ORDS before 20.2.1. The issue enables a low-privileged, network-accessible attacker over HTTP to read a subset of ORDS data. No exploitation ...
CVE-2020-14744
The CVE-2020-14744 issue affects Oracle REST Data Services (ORDS) General component. Affected versions are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c, with Standalone ORDS prior to 20.2.1. The vulnerability is described as easily exploitable by a low-privileged attacker who has network access via...
CVE-2026-46775
Oracle REST Data Services (Core) is affected in versions 24.2.0–26.1.0. The vulnerability allows a low-privileged, unauthenticated attacker with HTTPS network access to compromise the service, potentially taking over the Oracle REST Data Services and impacting related products. CVSS 3.1 base scor...
CVE-2026-35277
CVE-2026-35277 affects Oracle REST Data Services (Core). Affected versions: 24.2.0–26.1.0. The vulnerability is exploitable by a low-privileged attacker with network access via HTTPS, potentially leading to unauthorized creation, deletion or modification of data, or unauthorized access to Oracle ...
CVE-2026-46830
Oracle REST Data Services (ORDS) Mongoapi component is affected. Affected versions: 24.2.0–26.1.0. The vulnerability allows an unauthenticated attacker with network access via HTTPS to read a subset of ORDS data. The CVSS v3.1 base score is 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:...
CVE-2026-46841
Oracle REST Data Services (ORDS) is affected, specifically versions 24.2.0–26.1.0 in the General component. The vulnerability allows an unauthenticated attacker with network access over HTTPS to potentially read a subset of ORDS data. CVSS 3.1 base score is 5.3 (Confidentiality impact: Low). No e...
CVE-2026-46829
The vulnerability CVE-2026-46829 affects Oracle REST Data Services (component: Mongoapi) in versions 24.2.0–26.1.0. An unauthenticated attacker with network access over HTTPS can compromise the service, potentially causing a hang or complete DoS. The CVSS v3.1 base score is 7.5 (Availability high...
CVE-2026-46842
The CVE-2026-46842 entry concerns Oracle REST Data Services (ORES) Core. Affected versions are 24.2.0–26.1.0. The vulnerability is exploitable by an unauthenticated attacker over HTTPS, potentially leading to unauthorized update, insert, or delete operations on some ORES data. The CVSSv3.1 base s...
CVE-2026-46843
Affected product: Oracle REST Data Services (Core). Affected versions: 24.2.0–26.1.0. Vulnerability: unauthenticated, network-accessible via HTTPS, can cause a partial denial of service (partial DOS) to Oracle REST Data Services. Impact: CVSS v3.1 Base Score 5.3 (Availability impact). Exploitabil...
CVE-2026-35266
CVE-2026-35266 concerns Oracle REST Data Services (Core). Affected: ORO REST Data Services versions 24.2.0–26.1.0. The vulnerability allows a low-privilege, network-accessible attacker (via HTTPS) to compromise Oracle REST Data Services, with exploitation requiring user interaction. Impacts inclu...