CVSS: 6.5EPSS: 1%CPEs: 51EXPL: 2CVE-2018-1304 – tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
https://notcve.org/view.php?id=CVE-2018-1304
28 Feb 2018 — The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. El patró... • https://github.com/knqyf263/CVE-2018-1304 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 7%CPEs: 50EXPL: 1CVE-2018-1305 – tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
https://notcve.org/view.php?id=CVE-2018-1305
23 Feb 2018 — Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. Las restricc... • https://github.com/Pa55w0rd/CVE-2018-1305 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 8%CPEs: 81EXPL: 3CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
18 Jan 2018 — jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applic... • https://github.com/halkichi0308/CVE-2015-9251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 174EXPL: 2CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
17 Apr 2017 — In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se des... • https://github.com/pimps/CVE-2017-5645 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 46EXPL: 0CVE-2012-1677
https://notcve.org/view.php?id=CVE-2012-1677
17 Jan 2013 — Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware allows remote attackers to affect integrity via unknown vectors. Vulnerabilidad no especificada en el componente Oracle Application Server Single Sign-On en Oracle Fusion Middleware permite a atacantes remotos afectar a la integridad a través de vectores desconocidos. • http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2012-3135
https://notcve.org/view.php?id=CVE-2012-3135
17 Jul 2012 — Unspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware 28.2.3 and before, and 27.7.2 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Vulnerabilidad no especificada en el componente de Oracle JRockit en Oracle Fusion Middleware v28.2.3 y anteriores, y v27.7.2 y versiones anteriores, permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos. • http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 •
CVSS: 10.0EPSS: 1%CPEs: 27EXPL: 0CVE-2012-1695
https://notcve.org/view.php?id=CVE-2012-1695
03 May 2012 — Unspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware 28.2.2 and earlier, and JDK/JRE 5 and 6 27.7.1 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Vulnerabilidad no especificada en el componente Oracle JRockit en Oracle Fusion Middleware v28.2.2 y anteriores, y JDK/JRE 5 y 6 27.7.1 y anteriores permite a atacantes remotos afectar a la confidencialidad, integridad y disponibilidad a través de vectores no especi... • http://secunia.com/advisories/48864 •