CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-2904 – Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-2904
Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuapr2021.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.zerodayinitiative.com/advisories/ZDI-19-1024 •
CVE-2019-17091
https://notcve.org/view.php?id=CVE-2019-17091
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. El archivo faces/context/PartialViewContextImpl.java en Eclipse Mojarra, como es usado en Mojarra para Eclipse EE4J versiones anteriores a 2.3.10 y Mojarra JavaServer Faces versiones anteriores a 2.2.20, permite un ataque de tipo XSS Reflejado porque un campo client window es manejado inapropiadamente. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt https://github.com/eclipse-ee4j/mojarra/issues/4556 https://github.com/eclipse-ee4j/mojarra/pull/4567 https://github.com/javaserv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-3740
https://notcve.org/view.php?id=CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys. RSA BSAFE Crypto-J versiones anteriores a 6.2.5, son susceptibles a una vulnerabilidad de Exposición de Información por medio de vulnerabilidades de Discrepancia de Sincronización durante la generación de claves DSA. Un atacante remoto malicioso podría explotar potencialmente esas vulnerabilidades para recuperar claves DSA. • https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE®%3B-Crypto-J-Multiple-Security-Vulnerabilities https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-203: Observable Discrepancy CWE-310: Cryptographic Issues •
CVE-2019-3739
https://notcve.org/view.php?id=CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys. RSA BSAFE Crypto-J versiones anteriores a 6.2.5, son vulnerables a la Exposición de Información por medio de vulnerabilidades de Discrepancia de Sincronización durante la generación de claves ECDSA. Un atacante remoto malicioso podría explotar potencialmente esas vulnerabilidades para recuperar claves ECDSA. • https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE®%3B-Crypto-J-Multiple-Security-Vulnerabilities https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-203: Observable Discrepancy CWE-310: Cryptographic Issues •