CVSS: 8.1EPSS: 3%CPEs: 33EXPL: 1CVE-2020-24616
https://notcve.org/view.php?id=CVE-2020-24616
25 Aug 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con br.com.anteros.dbcp.AnterosDBCPDataSource (también se conoce como Anteros-DBCP) • https://github.com/0xkami/cve-2020-24616-poc • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 49%CPEs: 11EXPL: 1CVE-2018-1285 – Ubuntu Security Notice USN-4699-1
https://notcve.org/view.php?id=CVE-2018-1285
11 May 2020 — Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. Apache log4net versiones anteriores a 2.0.10, no deshabilita las entidades externas XML cuando analiza los archivos de configuración de log4net. Esto permite realizar ataques basados en XXE en aplicaciones que aceptan archivos de configuración log4net controlados por el atacante It w... • https://github.com/alex-ermolaev/Log4NetSolarWindsSNMP- • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 2%CPEs: 79EXPL: 0CVE-2020-10683 – dom4j: XML External Entity vulnerability in default SAX parser
https://notcve.org/view.php?id=CVE-2020-10683
01 May 2020 — dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j versiones anteriores a 2.0.3 y versiones 2.1.x anteriores a 2.1.3, permite DTDs y External Entities por defecto, lo que podría permitir ataques de tipo XXE. Sin embargo, existe una documentación externa popular de OWASP que mues... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.9EPSS: 2%CPEs: 206EXPL: 6CVE-2020-11022 – Potential XSS vulnerability in jQuery
https://notcve.org/view.php?id=CVE-2020-11022
29 Apr 2020 — In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. En las versiones de jQuery mayores o iguales a 1.2 y anteriores a la versión 3.5.0, se puede ejecutar HTML desde fuentes no seguras, incluso después de desinfectarlo, a uno de los métodos de manipulación DOM de jQuery (es decir .h... • https://packetstorm.news/files/id/162159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 81EXPL: 8CVE-2020-11023 – JQuery Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-11023
29 Apr 2020 — In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
CVSS: 5.3EPSS: 1%CPEs: 52EXPL: 1CVE-2020-5397 – CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
https://notcve.org/view.php?id=CVE-2020-5397
17 Jan 2020 — Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client cer... • https://pivotal.io/security/cve-2020-5397 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 89%CPEs: 63EXPL: 1CVE-2020-5398 – RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application
https://notcve.org/view.php?id=CVE-2020-5398
16 Jan 2020 — In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. En Spring Framework, versiones 5.2.x anteriores a 5.2.3, versiones 5.1.x anteriores a 5.1.13 y versiones 5.0.x anteriores a 5.0.16, una aplicación es vulnerable a un ataque de tipo reflected file... • https://github.com/motikan2010/CVE-2020-5398 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-494: Download of Code Without Integrity Check •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2020-2673
https://notcve.org/view.php?id=CVE-2020-2673
15 Jan 2020 — Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder). Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible... • https://www.oracle.com/security-alerts/cpujan2020.html •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 1CVE-2019-5064
https://notcve.org/view.php?id=CVE-2019-5064
03 Jan 2020 — An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, before version 4.2.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution. An attacker can provide a specially crafted file to trigger this vulnerability. Existe una vulnerabilidad de desbordamiento del búfer de almacenamiento dinámico explotable en la funcionalidad de persistencia de la estructura de datos de OpenCV,... • https://github.com/opencv/opencv/issues/15857 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 5%CPEs: 4EXPL: 1CVE-2019-5063
https://notcve.org/view.php?id=CVE-2019-5063
03 Jan 2020 — An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV 4.1.0. A specially crafted XML file can cause a buffer overflow, resulting in multiple heap corruptions and potential code execution. An attacker can provide a specially crafted file to trigger this vulnerability. Existe una vulnerabilidad de desbordamiento de búfer de la pila en la funcionalidad de persistencia de la estructura de datos de OpenCV versión 4.1.0. Un archivo XML especialmente dis... • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0852 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •