CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14892 – jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://notcve.org/view.php?id=CVE-2019-14892
20 Jan 2020 — A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Se detectó un fallo en jackson-databind en las versiones anteriores a 2.9.10, 2.8.11.5 y 2.6.7.3, donde permitiría una deserialización polimórfica de un objeto malicioso utilizando las clases JNDI de commons-configuration 1 y 2. Un atacante... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 1%CPEs: 7EXPL: 2CVE-2019-14862 – knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.
https://notcve.org/view.php?id=CVE-2019-14862
03 Dec 2019 — There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. Hay una vulnerabilidad en knockout versiones anteriores a la versión 3.5.0-beta, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo. Red Hat Decision Manager is an o... • https://github.com/ossf-cve-benchmark/CVE-2019-14862 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14863 – angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
https://notcve.org/view.php?id=CVE-2019-14863
03 Dec 2019 — There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. Hay una vulnerabilidad en todas las versiones de angular anteriores a la versión 1.5.0-beta.0, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo. A cross-site... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 3EXPL: 0CVE-2017-7545 – jbpmmigration: XXE vulnerability in XmlUtils
https://notcve.org/view.php?id=CVE-2017-7545
30 Nov 2017 — It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. Se ha descubierto que la clase XmlUtils en jbpmmigration 6.5 realizaba la expansión de entidades externas de parámetros mientras analizaba archivos XML. Un atacante remoto podría utiliza... • http://www.securityfocus.com/bid/102179 • CWE-611: Improper Restriction of XML External Entity Reference •