2 results (0.005 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. • https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 2%CPEs: 28EXPL: 0

RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165. La implementación de RichFaces en Nuxeo Platform versión 5.6.0 anterior a HF27 y versión 5.8.0 anterior a HF-01, no restringe las clases para las que los métodos de deserialización pueden ser llamados, lo que permite a atacantes remotos ejecutar código arbitrario por medio de datos serializados diseñados. NOTA: esta vulnerabilidad puede solaparse con CVE-2013-2165. • http://doc.nuxeo.com/display/public/ADMINDOC58/Nuxeo+Security+Hotfixes https://bugzilla.redhat.com/show_bug.cgi?id=1027052 https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec • CWE-502: Deserialization of Untrusted Data •