CVSS: 7.5EPSS: 0%CPEs: 38EXPL: 0CVE-2019-12402 – apache-commons-compress: Infinite loop in name encoding algorithm
https://notcve.org/view.php?id=CVE-2019-12402
29 Aug 2019 — The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. El algoritmo de codificación de nombre de archivo utilizado internamente en Apache Commons Compress versiones 1.15 hasta 1.18, puede entrar en un bucle infinito cuando se enfrenta a entradas especialmente diseñadas. Esto pue... • https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b%40%3Cdev.commons.apache.org%3E • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 218EXPL: 7CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
19 Apr 2019 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propi... • https://github.com/isacaya/CVE-2019-11358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 14%CPEs: 58EXPL: 0CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malic... • http://www.securityfocus.com/bid/106601 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 3%CPEs: 41EXPL: 0CVE-2018-14720 – jackson-databind: exfiltration/XXE in some JDK classes
https://notcve.org/view.php?id=CVE-2018-14720
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes realizar ataques de tipo XML External Entity Injection (XXE) aprovechando su incapacidad de bloquear clases JDK no especificadas de deserialización polimórfica. Red Hat Decision Manager is an open source decis... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-502: Deserialization of Untrusted Data CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 9%CPEs: 41EXPL: 0CVE-2018-14721 – jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
https://notcve.org/view.php?id=CVE-2018-14721
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos realizar ataques de SSRF (Server-Side Request Forgery) aprovechando un fallo para bloquear la clase axis2-ext de deserialización polimórfica. Red Hat Decision Manager is an open source de... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 3%CPEs: 55EXPL: 0CVE-2018-14719 – jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
https://notcve.org/view.php?id=CVE-2018-14719
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear las clases blaze-ds-opt y blaze-ds-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would p... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 8%CPEs: 81EXPL: 3CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
18 Jan 2018 — jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applic... • https://github.com/halkichi0308/CVE-2015-9251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 1%CPEs: 5EXPL: 0CVE-2018-2711
https://notcve.org/view.php?id=CVE-2018-2711
18 Jan 2018 — Vulnerability in the Oracle JDeveloper component of Oracle Fusion Middleware (subcomponent: Security Framework). Supported versions that are affected are 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle JDeveloper, attacks may significantly impact... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html •
CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 2CVE-2017-10273 – Oracle JDeveloper 11.1.x/12.x - Directory Traversal
https://notcve.org/view.php?id=CVE-2017-10273
18 Jan 2018 — Vulnerability in the Oracle JDeveloper component of Oracle Fusion Middleware (subcomponent: Deployment). Supported versions that are affected are 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0 and 12.2.1.2.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle JDeveloper executes to compromise Oracle JDeveloper. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle J... • https://packetstorm.news/files/id/145966 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 94%CPEs: 174EXPL: 2CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
17 Apr 2017 — In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se des... • https://github.com/pimps/CVE-2017-5645 • CWE-502: Deserialization of Untrusted Data •