11 results (0.017 seconds)

CVSS: 10.0EPSS: 96%CPEs: 398EXPL: 30

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. • https://github.com/fullhunt/log4j-scan https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words https://github.com/cyberstruggle/L4sh https://github.com/woodpecker-appstore/log4j-payload-generator https://github.com/tangxiaofeng7/apache-log4j-poc https://www.exploit-db.com/exploits/51183 https://www.exploit-db.com/exploits/50592 https://www.exploit-db.com/exploits/50590 https://github.com/logpresso/CVE-2021-44228-Scanner https://github.com/jas502n/Log4j2-CVE-2021-44228 h • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web framework of Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into that request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web-based management interface or access sensitive, browser-based information. Una vulnerabilidad en el framework web de Cisco Emergency Responder, podría permitir a un atacante autenticado, remoto conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz de administración basada en web. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-er-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Multiple open redirect vulnerabilities in Cisco Emergency Responder (ER) 8.6 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters, aka Bug ID CSCun37909. Múltiples vulnerabilidades de redirección abierta en Cisco Emergency Responder (ER) 8.6 y anteriores permiten a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de parámetros no especificados, también conocido como Bug ID CSCun37909. • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2117 http://tools.cisco.com/security/center/viewAlert.x?alertId=33642 http://www.securityfocus.com/bid/66634 http://www.securitytracker.com/id/1030019 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cisco Emergency Responder (ER) 8.6 and earlier allows remote attackers to inject web pages and modify dynamic content via unspecified parameters, aka Bug ID CSCun37882. Cisco Emergency Responder (ER) 8.6 y anteriores permite a atacantes remotos inyectar páginas web y modificar contenido dinámico a través de parámetros no especificados, también conocido como Bug ID CSCun37882. • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2116 http://tools.cisco.com/security/center/viewAlert.x?alertId=33641 http://www.securityfocus.com/bid/66632 http://www.securitytracker.com/id/1030019 • CWE-20: Improper Input Validation •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in CERUserServlet pages in Cisco Emergency Responder (ER) 8.6 and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCun24250. Múltiples vulnerabilidades de CSRF en páginas de CERUserServlet en Cisco Emergency Responder (ER) 8.6 y anteriores permiten a atacantes remotos secuestrar la autenticación de usuarios arbitrarios, también conocido como Bug ID CSCun24250. • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2115 http://tools.cisco.com/security/center/viewAlert.x?alertId=33643 http://www.securityfocus.com/bid/66631 http://www.securitytracker.com/id/1030019 • CWE-352: Cross-Site Request Forgery (CSRF) •