CVE-2020-14763
https://notcve.org/view.php?id=CVE-2020-14763
Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Quick Poll. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Quick Poll, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Quick Poll accessible data as well as unauthorized read access to a subset of Oracle Application Express Quick Poll accessible data. • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVE-2020-26870
https://notcve.org/view.php?id=CVE-2020-26870
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Cure53 DOMPurify versiones anteriores a 2.0.17, permite una mutación de XSS. Esto ocurre porque un viaje de ida y vuelta de análisis serializado no necesariamente devuelve el árbol DOM original, y un espacio de nombres puede cambiar de HTML a MathML, como es demostrado al anidar los elementos FORM • https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17 https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870 https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass https://www.oracle.com//security-alerts/cpujul2021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2971
https://notcve.org/view.php?id=CVE-2020-2971
Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. • https://www.oracle.com/security-alerts/cpujul2020.html •
CVE-2020-2977
https://notcve.org/view.php?id=CVE-2020-2977
Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. • https://www.oracle.com/security-alerts/cpujul2020.html •
CVE-2020-2972
https://notcve.org/view.php?id=CVE-2020-2972
Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. • https://www.oracle.com/security-alerts/cpujul2020.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •