64 matches found
CVE-2020-11023
The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...
CVE-2015-9251
CVE-2015-9251 affects jQuery before 3.0.0, enabling XSS when a cross-domain Ajax request omits the dataType option and text/javascript responses are executed. Connected advisories confirm the issue and indicate an upgrade resolves it; remediation is to upgrade jQuery to a fixed version as provide...
CVE-2019-11358
CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...
CVE-2017-12617
CVE-2017-12617 concerns Apache Tomcat JSP upload via HTTP PUT when readonly=false and PUTs are allowed. Affected: Tomcat 7.x/8.x/9.x (various 7.0.0–7.0.81, 8.0.0.RC1–8.0.46, 8.5.0–8.5.22, 9.0.0.M1–9.0.0) with PUT enabled. Root cause: PUT request handling allowed uploading a JSP, enabling remote c...
CVE-2021-45105
Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...
CVE-2021-26272
CVE-2021-26272 is a ReDoS in CKEditor 4 Autolink: by pasting crafted URL-like text and pressing Enter/Space, a victim can trigger a denial-of-service. The publicly documented detail confirms CKEditor 4.x up to before 4.16 is affected; remediation is to upgrade to CKEditor 4.16+ or apply a fix as ...
CVE-2019-13990
CVE-2019-13990 affects Terracotta Quartz Scheduler within Atlassian Jira Service Management Data Center/Server and related Oracle Fusion Middleware deployments, via XXE in the Terracotta Quartz Scheduler component when parsing a job description. The root cause is an XML External Entity condition ...
CVE-2021-26271
CVE-2021-26271 affects CKEditor 4 before 4.16. An attacker could trigger a ReDoS-type DoS by persuading a victim to paste crafted text into the Styles input of dialogs (Advanced Tab in the Dialogs plugin). Affected versions are CKEditor 4.x prior to 4.16; remediation is to upgrade to 4.16 or newe...
CVE-2021-29505
CVE-2021-29505 affects XStream (Java XML serialization) in versions before 1.4.17. The public docs indicate the fix is in 1.4.17; multiple advisories (Debian, Fedora, Amazon Linux, Astra Linux) reference this CVE in the context of libxstream-java. Atlassian Jira Server/Data Center reports indicat...
CVE-2020-5258
CVE-2020-5258 affects the Dojo NPM package where the deepCopy function is vulnerable to Prototype Pollution. The root cause is injection of properties into native JavaScript prototypes, allowing an attacker to mutate a base object’s prototype. Patched versions are 1.12.8, 1.13.7, 1.14.6, 1.15.3 a...
CVE-2019-17531
CVE-2019-17531 affects FasterXML jackson-databind 2.0.0–2.9.10; when Default Typing is enabled for an externally exposed JSON endpoint and apache-log4j-extra 1.2.x is on the classpath, an attacker capable of providing a JNDI service can trigger remote code execution. Connected documents corrobora...
CVE-2014-0107
CVE-2014-0107 concerns the TransformerFactory in Apache Xalan-Java before 2.7.2, which does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, potentially allowing remote attackers to bypass restrictions and load arbitrary classes or access external reso...
CVE-2019-16943
CVE-2019-16943 affects FasterXML jackson-databind (versions 2.0.0–2.9.10) via a polymorphic typing flaw that, when Default Typing is enabled for an exposed JSON endpoint and a p6spy P6DataSource is present in the classpath with an accessible RMI endpoint, can lead to remote code execution. The ro...
CVE-2019-12415
CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...
CVE-2019-16942
CVE-2019-16942 affects FasterXML jackson-databind 2.0.0–2.9.10. When Default Typing is enabled for an externally exposed JSON endpoint and the service includes the commons-dbcp 1.4 jar on the classpath, with an accessible RMI endpoint, the vulnerability can allow execution of a malicious payload ...
CVE-2021-32808
CKEditor 4.x clipboard Widget plugin vulnerability (CVE-2021-32808) arises from improper validation of widget HTML when used with the undo feature, allowing a remote attacker to trigger JavaScript execution in the victim’s browser. Affected: CKEditor 4 plugins with version >= 4.13.0. Remediati...
CVE-2018-15756
CVE-2018-15756 (Spring Framework) affects Spring Web MVC/WebFlux ranges handling: the ResourceHttpRequestHandler, or returning a Resource from an annotated controller, can be abused by a crafted Range header to trigger a denial-of-service. Affected versions include Spring Framework 5.1, 5.0.x bef...
CVE-2015-3253
CVE-2015-3253 affects Apache Groovy 1.7.0–2.4.3. The vulnerability resides in deserialization via crafted serialized objects in the MethodClosure.java runtime, enabling remote code execution or DoS. Exploitation was reported across multiple advisories; F5 and other vendors reference the same issu...
CVE-2019-5427
CVE-2019-5427 affects c3p0, where versions older than 0.9.5.4 are vulnerable to a billion laughs (XML entity expansion) attack when loading XML configuration due to missing protections against recursive entity expansion. Public sources in connected documents confirm the issue exists in c3p0
CVE-2020-7226
Technical details for CVE-2020-7226 are not provided in the connected documents. The initial description notes memory exhaustion in Cryptacular’s CiphertextHeader during decode, but no version/vendor specifics beyond Cryptacular 1.2.3. Monitor for updates.
CVE-2021-27906
CVE-2021-27906 affects Apache PDFBox; a crafted PDF can trigger an OutOfMemoryError when loading, impacting PDFBox 2.0.22 and earlier 2.0.x. The connected IBM/QRadar security bulletin confirms the same CVE ID and notes remediation: upgrade to IBM Cognos-related 2.0.6.12, then apply FixPack 2.0.6....
CVE-2021-27807
CVE-2021-27807 affects Apache PDFBox 2.0.22 and earlier 2.0.x. The issue arises when loading a crafted PDF, triggering an infinite loop and causing denial of service. Connected IBM advisories confirm the same description and map remediation to upgrading to fixed PDFBox versions via product-specif...
CVE-2019-0228
CVE-2019-0228 affects Apache PDFBox 2.0.14, enabling an XML External Entity (XXE) attack via crafted XFDF. IBM advisories fix the vulnerability by upgrading IBM Operations Analytics - Log Analysis to version 1.3.7 (PDFBox handling) and Fedora advisories show a PDFBox update to 2.0.16. The vulnera...
CVE-2013-4316
CVE-2013-4316 affects Apache Struts 2.0.0–2.3.15.1, where Dynamic Method Invocation is enabled by default, enabling remote code execution with OGNL-parameter crafted requests. The IBM and related advisories confirm this vulnerability and reference the same CVE, describing the impact as remote cod...
CVE-2018-2791
Oracle WebCenter Sites (FatWire Content Server) within Oracle Fusion Middleware (Advanced UI) is affected by CVE-2018-2791, with impacted versions 11.1.1.8.0, 12.2.1.2.0 and 12.2.1.3.0. The connected documents describe multiple cross‑site scripting (XSS) vulnerabilities that could allow an unauth...
CVE-2018-3238
Oracle Fusion Middleware WebCenter Sites 11.1.1.8.0 is affected by a cross-site scripting vulnerability in the WebCenter Sites component (subcomponent: Advanced UI). The vulnerability, described as easily exploitable, could allow a high-privileged attacker with network access over HTTP to execute...
CVE-2019-2578
Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 (Advanced UI) is affected by CVE-2019-2578 due to broken access control. This could let an unauthenticated attacker with network access over HTTP gain unauthorized access to data across the WebCenter Sites instance. The CVSSv3 base score is 8.6 ...
CVE-2019-2579
Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 is affected by CVE-2019-2579, tied to a SQL injection vulnerability in the WebCenter Sites component (Advanced UI). The Nuclei template confirms a SQLi condition that is exploitable by a low-privileged attacker with network access over HTTP, pot...
CVE-2017-10033
CVE-2017-10033 affects Oracle WebCenter Sites (Support Tools subcomponent) in Oracle Fusion Middleware. Vulnerable versions are 11.1.1.8.0 and 12.2.1.2.0. The issue enables an unauthenticated attacker with access to the hosting infrastructure to perform unauthorized read, update, insert, or delet...
CVE-2020-2538
CVE-2020-2538 affects Oracle WebCenter Sites (component: Advanced UI) in Oracle Fusion Middleware, with affected version 12.2.1.3.0. The vulnerability description indicates unauthenticated network access via HTTP, requiring user interaction, and potentially unauthorized data updates/deletes, read...
CVE-2017-3543
CVE-2017-3543 affects Oracle WebCenter Sites Server component in Oracle Fusion Middleware (versions 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0). An unauthenticated attacker with network access via HTTP can compromise data confidentiality, integrity, and availability. The vulnerability is desc...
CVE-2024-20908
Oracle WebCenter Sites (12.2.1.4.0) is affected by a vulnerability in the Advanced UI that allows an unauthenticated attacker with network access over HTTP to potentially modify or read data. The issue requires user interaction and may impact other Oracle Fusion Middleware products (scope change)...
CVE-2017-3540
Oracle WebCenter Sites within Oracle Fusion Middleware (Server subcomponent) is affected by CVE-2017-3540. Affected versions: 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0. The vulnerability allows an unauthenticated attacker with network access via HTTP to cause a hang or crash (DOS) and perfor...
CVE-2017-3595
The CVE-2017-3595 entry concerns Oracle WebCenter Sites within Oracle Fusion Middleware (subcomponent: Advanced UI). Affected versions are 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability allows a low-privilege, network-accessible attacker (via HTTP) to compromise the system, ...
CVE-2017-3603
Oracle WebCenter Sites (Oracle Fusion Middleware) contains CVE-2017-3603 in the Advanced UI subcomponent. Affected versions are 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The description states a difficult-to-exploit vulnerability that allows a low-privileged, network-accessible attacker ...
CVE-2017-3596
Oracle WebCenter Sites (part of Oracle Fusion Middleware) is affected in versions 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, and 12.2.1.2.0 within the Advanced UI subcomponent. The CVE-2017-3596 issue is described as an easily exploitable vulnerability allowing a low-privileged, network-accessible attac...
CVE-2017-3541
CVE-2017-3541 : A vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server) affects 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. An unauthenticated attacker with network access over HTTP can compromise Oracle WebCenter Sites, potentially result...
CVE-2017-3545
Vulnerability CVE-2017-3545 affects Oracle WebCenter Sites (Fusion Middleware) subcomponent Blob Server. Affected versions: 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0. The issue allows an unauthenticated attacker with network access over HTTP to compromise the system, enabling unauthorized cr...
CVE-2017-3554
CVE-2017-3554 affects Oracle WebCenter Sites (Oracle Fusion Middleware) under the Catalog Mover subcomponent. Affected versions: 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability enables a low-privileged attacker who can access the service over HTTP from the network to compromi...
CVE-2020-2539
CVE-2020-2539 affects Oracle WebCenter Sites (Advanced UI) in Oracle Fusion Middleware, vulnerable in version 12.2.1.3.0. An unauthenticated attacker with network access via HTTP can compromise data, with successful attacks enabling unauthorized update/insert/delete and read access to WebCenter S...
CVE-2017-3593
Technical details about CVE-2017-3593 are not publicly provided in the connected documents. Monitor for updates to confirm affected products, root cause, impact, and available fixes.
CVE-2017-3597
CVE-2017-3597 affects Oracle WebCenter Sites (Advanced UI) within Oracle Fusion Middleware. Affected versions are 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability allows a low-privilege, network-access attacker to compromise WebCenter Sites via HTTP, with human interaction req...
CVE-2017-3598
CVE-2017-3598 affects Oracle WebCenter Sites (Advanced UI) in Oracle Fusion Middleware. Affected versions include 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, and 12.2.1.2.0. The vulnerability allows a low-privilege, network attacker to obtain unauthorized read access to a subset of data via HTTP. Base CV...
CVE-2018-2584
The provided documents do not include technical details beyond the initial description for CVE-2018-2584; monitor for updates as public details remain unavailable in the supplied set.
CVE-2020-14613
CVE-2020-14613 affects Oracle WebCenter Sites (Oracle Fusion Middleware) in the Advanced User Interface component. Affected are 12.2.1.3.0 and 12.2.1.4.0. The vulnerability allows an unauthenticated attacker with network access over HTTP to compromise WebCenter Sites; exploitation requires user i...
CVE-2017-3594
CVE-2017-3594 affects Oracle WebCenter Sites (Advanced UI) within Oracle Fusion Middleware. The vulnerability impacts supported versions 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0, where a low-privileged, network-authenticated attacker can exploit via HTTP to gain unauthorized access to da...
CVE-2017-3602
CVE-2017-3602 concerns Oracle WebCenter Sites (Oracle Fusion Middleware), specifically the Advanced UI subcomponent. Affected versions are 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability allows a low-privileged, network-accessing attacker (via HTTP) to compromise WebCenter Si...
CVE-2017-3542
CVE-2017-3542 affects Oracle WebCenter Sites (Oracle Fusion Middleware) Server subcomponent; affected versions 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0. It allows an unauthenticated attacker over HTTP to access/modify data and cause partial DOS. CVSSv3.0 base score 8.6 (HIGH). Remediation: ...
CVE-2017-3591
CVE-2017-3591 affects Oracle WebCenter Sites (Oracle Fusion Middleware) in the Catalog Mover subcomponent. Affects listed versions: 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. The vulnerability can be exploited by an unauthenticated remote attacker over HTTP, with user interaction required...
CVE-2020-2739
Oracle WebCenter Sites (component: Advanced UI) in Fusion Middleware, version 12.2.1.3.0, is affected by CVE-2020-2739. Multiple sources confirm an unauthenticated attacker with network access over HTTP can compromise the product, with human interaction required for exploitation; impact includes ...