Page 3 of 18 results (0.012 seconds)

CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todos los objetos Java. Sin embargo, no se esta usando esta característica por defecto de PropertyUtilsBean. A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4%40apache.org%3e https://access.redhat.com/errata/RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 96%CPEs: 19EXPL: 5

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • https://www.exploit-db.com/exploits/47895 https://github.com/ruthlezs/CVE-2019-2729-Exploit https://github.com/waffl3ss/CVE-2019-2729 https://github.com/pizza-power/weblogic-CVE-2019-2729-POC http://packetstormsecurity.com/files/155886/Oracle-Weblogic-10.3.6.0.0-Remote-Command-Execution.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/security-alerts/ • CWE-284: Improper Access Control •

CVSS: 7.5EPSS: 86%CPEs: 77EXPL: 2

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue. Una vulnerabilidad de tipo SSRF (Server Side Request Forgery) afectó a la distribución de Apache Axis 1.4 que fue lanzada por última vez en 2006. La seguridad y las confirmaciones de errores continúan en el repositorio de Subversion de Axis 1.x, se anima a los usuarios a construir desde el código fuente. • https://www.exploit-db.com/exploits/46682 https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis https://security.netapp.com/advisory/ntap-20240621-0006 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpua • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.1EPSS: 0%CPEs: 76EXPL: 1

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. Apache Axis en versiones 1.x hasta la 1.4 (incluida) es vulnerable a un ataque de Cross-Site Scripting (XSS) en el servlet/services por defecto. • https://github.com/cairuojin/CVE-2018-8032 http://mail-archives.apache.org/mod_mbox/axis-java-dev/201807.mbox/%3CJIRA.13170716.1531060536000.93536.1531060560060%40Atlassian.JIRA%3E https://issues.apache.org/jira/browse/AXIS-2924 https://lists.apache.org/thread.html/3b89bc9e9d055db7eba8835ff6501f3f5db99d2a0928ec0be9b1d17b%40%3Cjava-dev.axis.apache.org%3E https://lists.apache.org/thread.html/d06ed5e4eeb77d00e8d594ec01ee8ee1cba173a01ac4b18f1579d041%40%3Cjava-dev.axis.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/11& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.9EPSS: 0%CPEs: 64EXPL: 0

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. Spring Framework (versiones 5.0.x anteriores a la 5.0.7, versiones 4.3.x anteriores a la 4.3.18 y versiones anteriores sin soporte) permite que las aplicaciones web cambien el método de petición HTTP a cualquier método HTTP (incluyendo TRACE) utilizando HiddenHttpMethodFilter en Spring MVC. Si una aplicación tiene una vulnerabilidad Cross-Site Scripting (XSS) preexistente, un usuario (o atacante) malicioso puede emplear este filtro para escalar a un ataque XST (Cross Site Tracing). • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/107984 https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html https://pivotal.io/security/cve-2018-11039 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwor •