CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48362 – Apache Drill: XXE Vulnerability in XML Format Reader
https://notcve.org/view.php?id=CVE-2023-48362
24 Jul 2024 — XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue. XXE en el complemento de formato XML en Apache Drill versión 1.19.0 y superior permite al usuario leer cualquier archivo en un sistema de archivos remoto o ejecutar comandos a través de un archivo XML malicioso. Se recomienda a los usuarios actualizar a la versió... • http://www.openwall.com/lists/oss-security/2024/07/24/3 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 2%CPEs: 1EXPL: 0CVE-2023-39553 – Apache Airflow Drill Provider Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-39553
11 Aug 2023 — Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server. This issue affects Apache Airflow Drill Provider: before 2.4.3. It is recommended to upgrade to a version that is not affected. Improper Input Validation vulnerability in Apache Software Fo... • http://www.openwall.com/lists/oss-security/2023/08/11/1 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 2%CPEs: 1EXPL: 0CVE-2023-28707 – Airflow Apache Drill Provider Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-28707
07 Apr 2023 — Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. • http://www.openwall.com/lists/oss-security/2023/04/07/1 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 10%CPEs: 45EXPL: 1CVE-2019-14439 – jackson-databind: Polymorphic typing issue related to logback/JNDI
https://notcve.org/view.php?id=CVE-2019-14439
30 Jul 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. Se detectó un problema de escritura polimórfica en jackson-databind de FasterXML versiones 2.x anteriores a 2.9.9.2. Esto ocurre cuando la Escritura Predeterminada está habilitada (globalmente o para una propiedad específica) para un endp... • https://github.com/jas502n/CVE-2019-14439 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0CVE-2019-0201 – zookeeper: Information disclosure in Apache ZooKeeper
https://notcve.org/view.php?id=CVE-2019-0201
23 May 2019 — An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthentica... • http://www.securityfocus.com/bid/108427 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 25%CPEs: 139EXPL: 0CVE-2019-10241 – jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions
https://notcve.org/view.php?id=CVE-2019-10241
22 Apr 2019 — In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. Eclipse Jetty versiones 9.2.26 y anteriores, 9.3.25 y anteriores, 9.3.25 y anteriores, y 9.4.15 y anteriores. El servidor es vulnerable a un Cross-Site Scripting (XSS) si un cliente remoto emplea una URL especialmente formada ... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12630
https://notcve.org/view.php?id=CVE-2017-12630
18 Dec 2017 — In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. En Apache Drill 1.11.0 y anteriores, cuando se envía el formulario desde la página Query, los usuarios son capaces de pasar scritps o HTML arbitrarios que surtirían efecto despué... • https://lists.apache.org/thread.html/608658a55d09e16542db41121a0a972c97448214cdc04071fd4db923%40%3Cdev.drill.apache.org%3E • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 8EXPL: 1CVE-2010-5312 – jquery-ui: XSS vulnerability in jQuery.ui.dialog title option
https://notcve.org/view.php?id=CVE-2010-5312
24 Nov 2014 — Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. Vulnerabilidad de XSS en jquery.ui.dialog.js en el widget Dialog en jQuery UI anterior a 1.10.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la opción del título. Two cross-site scripting flaws were found in jQuery, which impacted the Identity Management web admini... • http://bugs.jqueryui.com/ticket/6016 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •