Page 2 of 9 results (0.045 seconds)

CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atacante podría usar este fallo para lanzar un ataque XSS reflejado A cross-site scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1814974 https://github.com/quarkusio/quarkus/issues/7248 https://issues.redhat.com/browse/RESTEASY-2519 https://security.netapp.com/advisory/ntap-20210706-0008 https://access.redhat.com/security/cve/CVE-2020-10688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions. JBoss RESTEasy, en versiones anteriores a la 3.1.2, podría ser forzado a analizar una petición con YamlProvider, lo que resulta en la deserialización de datos potencialmente no fiables. Esto podría permitir que un atacante ejecute código arbitrario con permisos de aplicación RESTEasy. It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. • http://rhn.redhat.com/errata/RHSA-2017-1255.html http://rhn.redhat.com/errata/RHSA-2017-1409.html http://www.securityfocus.com/bid/94940 http://www.securitytracker.com/id/1038524 https://access.redhat.com/errata/RHSA-2017:1253 https://access.redhat.com/errata/RHSA-2017:1254 https://access.redhat.com/errata/RHSA-2017:1256 https://access.redhat.com/errata/RHSA-2017:1260 https://access.redhat.com/errata/RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1411 h • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818. La función ReadFrom en providers.jaxb.JAXBXmlTypeProvider en RESTEasy anterior a v2.3.2 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en una entrada Java Architecture for XML Binding (JAXB), también conocido como ataque de inyección XML de entidad externa (XXE), una vulnerabilidad CVE-similar a 2.012-0.818. • http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://rhn.redhat.com/errata/RHSA-2012-1056.html http://rhn.redhat.com/errata/RHSA-2012-1057.html http://rhn.redhat.com/errata/RHSA-2012-1058.html http://rhn.redhat.com/errata/RHSA-2012-1059.html http://rhn.redhat.com/errata/RHSA-2012-1125.html http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secuni • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.0EPSS: 0%CPEs: 13EXPL: 0

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en un documento DOM, también conocido como un ataque de inyección XML de entidad externa (XXE) • http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://rhn.redhat.com/errata/RHSA-2012-1056.html http://rhn.redhat.com/errata/RHSA-2012-1057.html http://rhn.redhat.com/errata/RHSA-2012-1058.html http://rhn.redhat.com/errata/RHSA-2012-1059.html http://rhn.redhat.com/errata/RHSA-2012-1125.html http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secuni • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •