Page 3 of 12 results (0.005 seconds)

CVSS: 6.5EPSS: 0%CPEs: 72EXPL: 0

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. Spring Framework, en versiones 5.0 anteriores a la 5.0.5 y versiones 4.3 anteriores a la 4.3.15, así como versiones más antiguas no soportadas, permite que las aplicaciones configuren Spring MVC para que sirva recursos estáticos (por ejemplo, CSS, JS o imágenes). Cuando se sirven recursos estáticos desde un sistema de archivos en Windows (en contraposición a classpath o a ServletContext), un usuario malicioso puede enviar una petición mediante una URL especialmente manipulada que puede llevar a un ataque de salto de directorio. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/103699 https://access.redhat.com/errata/RHSA-2018:1320 https://access.redhat.com/errata/RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2939 https://pivotal.io/security/cve-2018-1271 https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2021.html https: • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 81EXPL: 1

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. • https://github.com/halkichi0308/CVE-2015-9251 http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •