CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2021-23926 – XMLBeans XML Entity Expansion
https://notcve.org/view.php?id=CVE-2021-23926
14 Jan 2021 — The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. Los analizadores XML usados por XMLBeans versiones hasta 2.6.0 no establecían las propiedades necesarias para proteger al usuario de entradas XML maliciosas. Unas vulnerabilidades incluyen posibilidades de ataques de Expansión de Entidades XML. • https://issues.apache.org/jira/browse/XMLBEANS-517 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 8.1EPSS: 6%CPEs: 39EXPL: 3CVE-2020-28052 – bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
https://notcve.org/view.php?id=CVE-2020-28052
18 Dec 2020 — An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. Se detectó un problema en Legion of the Bouncy Castle BC Java versiones 1.65 y 1.66. El método de la utilidad OpenBSDBCrypt.checkPassword comparó datos incorrectos al comprobar la contraseña, permitiendo a unas contraseña... • https://github.com/madstap/bouncy-castle-generative-test-poc • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 75EXPL: 1CVE-2020-1971 – EDIPARTYNAME NULL pointer dereference
https://notcve.org/view.php?id=CVE-2020-1971
08 Dec 2020 — The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. • https://github.com/MBHudson/CVE-2020-1971 • CWE-476: NULL Pointer Dereference •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2020-27193
https://notcve.org/view.php?id=CVE-2020-27193
12 Nov 2020 — A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Color Dialog para CKEditor versión 4.15.0, permite a atacantes remotos ejecutar script web arbitrario después de persuadir a un usuario para que copie y pegue código HTML diseñado en una de las entradas del editor • https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0CVE-2020-13956 – apache-httpclient: incorrect handling of malformed authority component in request URIs
https://notcve.org/view.php?id=CVE-2020-13956
28 Oct 2020 — Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Apache HttpClient versiones anteriores a 4.5.13 y 5.0.3, pueden interpretar inapropiadamente el componente authority malformado en las peticiones URI pasadas ??a la biblioteca como objeto java.net.URI y elegir el host de destino equivocado para una ejecución de la petición Red Hat Decisio... • https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 2%CPEs: 42EXPL: 2CVE-2020-8203 – WordPress Core < 5.8.1 - LoDash Update
https://notcve.org/view.php?id=CVE-2020-8203
15 Jul 2020 — Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Un ataque de contaminación de prototipo cuando se utiliza _.zipObjectDeep en lodash versiones anteriores a 4.17.20 A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability. WordPress Core is vulnerable to prototype pollution in various versions less... • https://github.com/ossf-cve-benchmark/CVE-2020-8203 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-770: Allocation of Resources Without Limits or Throttling CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 11%CPEs: 81EXPL: 8CVE-2020-11023 – JQuery Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-11023
29 Apr 2020 — In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
CVSS: 6.1EPSS: 1%CPEs: 24EXPL: 0CVE-2020-9281 – Ubuntu Security Notice USN-5340-1
https://notcve.org/view.php?id=CVE-2020-9281
07 Mar 2020 — A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario "protected" diseñado (con la sintaxis cke_protected). Kyaw Min Thein discov... • https://github.com/ckeditor/ckeditor4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 12%CPEs: 18EXPL: 1CVE-2019-17195 – nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
https://notcve.org/view.php?id=CVE-2019-17195
15 Oct 2019 — Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. Connect2id Nimbus JOSE+JWT versiones anteriores a v7.9, puede arrojar varias excepciones no captadas al analizar un JWT, lo que podría resultar en un bloqueo de la aplicación (potencial divulgación de información) o una posible omisión de autenticación. A flaw was found in Connect2id Nimbus JOSE+J... • https://github.com/somatrasss/weblogic2021 • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •