CVSS: 9.8EPSS: 94%CPEs: 17EXPL: 0CVE-2014-9390 – Malicious Git And Mercurial HTTP Server For CVE-2014-9390
https://notcve.org/view.php?id=CVE-2014-9390
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Git versiones anteriores a 1.8.5.6, versiones 1.9.x anteriores a 1.9.5, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.4 y versiones 2.2.x anteriores a 2.2.1 en Windows y OS X; Mercurial versiones anteriores a 3.2.3 en Windows y OS X; Apple Xcode versiones anteriores a 6.2 beta 3; mine todas las versiones antes del 08-12-2014; libgit2 todas las versiones hasta 0.21. 2; Egit todas las versiones anteriores al 08-12-2014; y JGit todas las versiones anteriores al 08-12-2014 permiten a los servidores Git remotos ejecutar comandos arbitrarios por medio de un árbol que contiene un archivo .git/config diseñado con (1) un punto de código Unicode ignorable, (2) una representación git~1/config, o (3) mayúsculas y minúsculas que no son manejadas apropiadamente en un sistema de archivos insensible a mayúsculas y minúsculas • http://article.gmane.org/gmane.linux.kernel/1853266 http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html http://mercurial.selenic.com/wiki/WhatsNew http://securitytracker.com/id?1031404 http://support.apple.com/kb/HT204147 https://github.com/blog/1938-git-client-vulnerability-announced https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915 https://libgit2.org/security https://news.ycombinator.com/item?id=8769667 https://www.rapid7.com/blo • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 52%CPEs: 39EXPL: 4CVE-2010-4647 – Eclipse 3.6.1 - Help Server 'help/advanced/content.jsp' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4647
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Help Contents web (también conocido como Help Server), permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el query string a (1) help/index.jsp o (2) help/advanced/content.jsp • https://www.exploit-db.com/exploits/34999 https://www.exploit-db.com/exploits/34998 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052532.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052554.html http://openwall.com/lists/oss-security/2011/01/06/16 http://openwall.com/lists/oss-security/2011/01/06/7 http://www.mandriva.com/security/advisories?name=MDVSA-2011:032 http://www.redhat.com/support/errata/RHSA-2011-0568.html http: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 3CVE-2008-7271 – Eclipse 3.3.2 IDE - 'Help Server help/advanced/searchView.jsp?SearchWord' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-7271
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la aplicación web Help Contents (tambien conocida como Help Server) en Eclipse IDE, posiblemente v3.3.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) searchWord sobre help/advanced/searchView.jsp o (2) workingSet en una acción add sobre help/advanced/workingSetManager.jsp, en una vulnerabilidad distinta a CVE-2010-4647. • https://www.exploit-db.com/exploits/35242 https://www.exploit-db.com/exploits/35243 http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 6%CPEs: 1EXPL: 4CVE-2009-4521 – Eclipse BIRT 2.2.1 - 'run?__report' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-4521
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en birt-viewer/run de Eclipse Business Intelligence y Reporting Tools (BIRT) anterior a v2.5.0, como se utiliza en KonaKart y otros productos, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a través del parámetro __report. • https://www.exploit-db.com/exploits/33286 http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss http://secunia.com/advisories/37025 http://www.osvdb.org/58941 http://www.securityfocus.com/archive/1/507172/100/0/threaded http://www.securityfocus.com/bid/36674 https://bugs.eclipse.org/bugs/show_bug.cgi?id=259127 https://exchange.xforce.ibmcloud.com/vulnerabilities/53773 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •