Page 5 of 38 results (0.017 seconds)

CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0

CVE-2021-23926 – XMLBeans XML Entity Expansion

https://notcve.org/view.php?id=CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. Los analizadores XML usados por XMLBeans versiones hasta 2.6.0 no establecían las propiedades necesarias para proteger al usuario de entradas XML maliciosas. Unas vulnerabilidades incluyen posibilidades de ataques de Expansión de Entidades XML. • https://issues.apache.org/jira/browse/XMLBEANS-517 https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html https://poi.apache.org https://security.netapp.com/advisory/ntap-20210513-0004 https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •

CVSS: 8.1EPSS: 0%CPEs: 39EXPL: 1

CVE-2020-28052 – bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible

https://notcve.org/view.php?id=CVE-2020-28052

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. Se detectó un problema en Legion of the Bouncy Castle BC Java versiones 1.65 y 1.66. El método de la utilidad OpenBSDBCrypt.checkPassword comparó datos incorrectos al comprobar la contraseña, permitiendo a unas contraseñas incorrectas indicar que coinciden con otras previamente en hash que eran diferentes A flaw was found in bouncycastle. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. • https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E https://list • CWE-287: Improper Authentication •

CVSS: 5.9EPSS: 0%CPEs: 75EXPL: 1

CVE-2020-1971 – EDIPARTYNAME NULL pointer dereference

https://notcve.org/view.php?id=CVE-2020-1971

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. • https://github.com/MBHudson/CVE-2020-1971 http://www.openwall.com/lists/oss-security/2021/09/14/2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676 https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b7 • CWE-476: NULL Pointer Dereference •

CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0

CVE-2020-27193

https://notcve.org/view.php?id=CVE-2020-27193

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Color Dialog para CKEditor versión 4.15.0, permite a atacantes remotos ejecutar script web arbitrario después de persuadir a un usuario para que copie y pegue código HTML diseñado en una de las entradas del editor • https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released https://ckeditor.com/cke4/release/CKEditor-4.15.1 https://ckeditor.com/ckeditor-4/download https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0

CVE-2020-13956 – apache-httpclient: incorrect handling of malformed authority component in request URIs

https://notcve.org/view.php?id=CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Apache HttpClient versiones anteriores a 4.5.13 y 5.0.3, pueden interpretar inapropiadamente el componente authority malformado en las peticiones URI pasadas ??a la biblioteca como objeto java.net.URI y elegir el host de destino equivocado para una ejecución de la petición • https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40% • CWE-20: Improper Input Validation •