CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14899
https://notcve.org/view.php?id=CVE-2020-14899
Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Data Reporter. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Data Reporter, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Data Reporter accessible data as well as unauthorized read access to a subset of Oracle Application Express Data Reporter accessible data. • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14900
https://notcve.org/view.php?id=CVE-2020-14900
Vulnerability in the Oracle Application Express Group Calendar component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Group Calendar. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Group Calendar, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Group Calendar accessible data as well as unauthorized read access to a subset of Oracle Application Express Group Calendar accessible data. • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14763
https://notcve.org/view.php?id=CVE-2020-14763
Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Quick Poll. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Quick Poll, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Quick Poll accessible data as well as unauthorized read access to a subset of Oracle Application Express Quick Poll accessible data. • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14762
https://notcve.org/view.php?id=CVE-2020-14762
Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 6.1EPSS: 1%CPEs: 8EXPL: 1CVE-2020-26870
https://notcve.org/view.php?id=CVE-2020-26870
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Cure53 DOMPurify versiones anteriores a 2.0.17, permite una mutación de XSS. Esto ocurre porque un viaje de ida y vuelta de análisis serializado no necesariamente devuelve el árbol DOM original, y un espacio de nombres puede cambiar de HTML a MathML, como es demostrado al anidar los elementos FORM • https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17 https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870 https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass https://www.oracle.com//security-alerts/cpujul2021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •