CVE-2018-20580 – ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-20580
The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file. La funcionalidad de importación WSDL de SmartBear ReadyAPI,versiones 2.5.0 y 2.6.0, permite a los atacantes remotos ejecutar código Java arbitrario a través de un parámetro de solicitud creado en un archivo WSDL. ReadyAPI versions 2.5.0 and 2.6.0 suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/46796 https://github.com/gscamelo/CVE-2018-20580 http://packetstormsecurity.com/files/152731/ReadyAPI-2.5.0-2.6.0-Remote-Code-Execution.html https://vimeo.com/332912402 https://vimeo.com/332912473 • CWE-20: Improper Input Validation •
CVE-2017-16670 – SoapUI 5.3.0 Code Execution
https://notcve.org/view.php?id=CVE-2017-16670
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file. a funcionalidad de importación de proyectos en SoapUI 5.3.0 permite que los atacantes remotos ejecuten código Java arbitrario mediante un parámetro request manipulado en un archivo de proyecto WSDL. SoapUI suffers from an arbitrary code execution vulnerability via a maliciously imported project. • http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2016-5682
https://notcve.org/view.php?id=CVE-2016-5682
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. Swagger-UI en versiones anteriores a 2.2.1 tiene XSS a través del campo predeterminado en la sección de definiciones. • https://community.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1000229 – swagger-ui: cross-site scripting in key names
https://notcve.org/view.php?id=CVE-2016-1000229
swagger-ui has XSS in key names swagger-ui presenta una vulnerabilidad de tipo XSS en nombres claves. It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. • https://github.com/ossf-cve-benchmark/CVE-2016-1000229 http://www.securityfocus.com/bid/97580 https://access.redhat.com/errata/RHSA-2017:0868 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000229 https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000229.json https://access.redhat.com/security/cve/CVE-2016-1000229 https://bugzilla.redhat.com/show_bug.cgi?id=1360275 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1202 – SoapUI 4.6.3 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-1202
The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file. La funcionalidad de importación WSDL/WADL en SoapUI anteriores a 4.6.4 permite a atacantes remotos ejecutar código Java arbitrario a través de parámetros de petición manipulados en un fichero WSDL. SoapUI versions prior to 4.6.4 suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/30908 http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html http://www.exploit-db.com/exploits/30908 http://www.youtube.com/watch?v=3lCLE64rsc0 https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •