CVSS: 6.1EPSS: 8%CPEs: 81EXPL: 3CVE-2015-9251 – jquery: Cross-site scripting via cross-domain ajax requests
https://notcve.org/view.php?id=CVE-2015-9251
18 Jan 2018 — jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery en versiones anteriores a la 3.0.0 es vulnerable a ataques de Cross-site Scripting (XSS) cuando se realiza una petición Ajax de dominios cruzados sin la opción dataType. Esto provoca que se ejecuten respuestas de texto/javascript. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applic... • https://github.com/halkichi0308/CVE-2015-9251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 1CVE-2018-2660 – Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS
https://notcve.org/view.php?id=CVE-2018-2660
18 Jan 2018 — Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 7.3.5.x and 8.0.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. While the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significant... • https://packetstorm.news/files/id/146057 •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2018-2661 – Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS
https://notcve.org/view.php?id=CVE-2018-2661
18 Jan 2018 — Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 7.3.5.x and 8.0.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in O... • https://packetstorm.news/files/id/146057 •
CVSS: 9.8EPSS: 7%CPEs: 58EXPL: 0CVE-2017-15095 – jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
https://notcve.org/view.php?id=CVE-2017-15095
13 Nov 2017 — A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. Se ha descubierto un error de deserialización en jackson-databind, en versiones anteriores a la 2.8.10 y a la 2.9.1, que podría permitir que un usu... • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 78%CPEs: 52EXPL: 7CVE-2017-7525 – jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
https://notcve.org/view.php?id=CVE-2017-7525
31 Jul 2017 — A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. Se ha descubierto un error de deserialización en jackson-databind, en versiones anteriores a la 2.6.7.1, 2.7.9.1 y a la 2.8.9, que podría permitir que un usuario no autenticado ejecute código enviando las entradas maliciosamente manipuladas al método ... • https://packetstorm.news/files/id/145805 • CWE-20: Improper Input Validation CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 94%CPEs: 174EXPL: 2CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
17 Apr 2017 — In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se des... • https://github.com/pimps/CVE-2017-5645 • CWE-502: Deserialization of Untrusted Data •