CVSS: 9.8EPSS: 7%CPEs: 48EXPL: 0CVE-2019-2904 – Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-2904
Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuapr2021.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.zerodayinitiative.com/advisories/ZDI-19-1024 •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2019-17359
https://notcve.org/view.php?id=CVE-2019-17359
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. El analizador ASN.1 en Bouncy Castle Crypto (también se conoce como BC Java) versión 1.63, puede desencadenar un intento de asignación de memoria grande y un error OutOfMemoryError resultante, por medio de datos ASN.1 diseñados. Esto se corrige en la versión 1.64. • https://lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r4d475dcaf4f57115fa57d8e06c3823ca398b35468429e7946ebaefdc%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r79b6a6aa0dd1aeb57bd253d94794bc96f1ec005953c4bd5414cc0db0&# • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.1EPSS: 2%CPEs: 218EXPL: 4CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propiedad enumerable __proto__, podría extender el Object.prototype nativo. A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. • https://github.com/isacaya/CVE-2019-11358 https://github.com/ossf-cve-benchmark/CVE-2019-11358 https://github.com/Snorlyd/https-nj.gov---CVE-2019-11358 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •