pippo-xstream is vulnerable to remote code execution. The XstreamEngine component does not validate XML data before unmarshalling, which may lead to arbitrary code execution via a command to java.lang.ProcessBuilder
when using XML data containing malicious types.
CPE | Name | Operator | Version |
---|---|---|---|
pippo xstream | le | 0.8.0 | |
pippo xstream | le | 1.11.0 |