4 results (0.010 seconds)

CVSS: 10.0EPSS: 96%CPEs: 398EXPL: 30

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. • https://github.com/fullhunt/log4j-scan https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words https://github.com/cyberstruggle/L4sh https://github.com/woodpecker-appstore/log4j-payload-generator https://github.com/tangxiaofeng7/apache-log4j-poc https://www.exploit-db.com/exploits/51183 https://www.exploit-db.com/exploits/50592 https://www.exploit-db.com/exploits/50590 https://github.com/logpresso/CVE-2021-44228-Scanner https://github.com/jas502n/Log4j2-CVE-2021-44228 h • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

NetApp SnapCenter Server prior to 4.1 does not set the secure flag for a sensitive cookie in an HTTPS session which can allow the transmission of the cookie in plain text over an unencrypted channel. NetApp SnapCenter Server, en versiones anteriores a la 4.1, no establece el indicador "secure" para una cookie sensible en una sesión HTTPS que podría permitir la trasmisión de dicha cookie en texto plano en un canal sin cifrar. • http://www.securityfocus.com/bid/107274 https://security.netapp.com/advisory/ntap-20190304-0001 • CWE-311: Missing Encryption of Sensitive Data •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field. NetApp SnapCenter Server, en versiones anteriores a la 4.0, es susceptible a una vulnerabilidad de Cross-Site Scripting (XSS) que podría permitir a un usuario privilegiado inyectar scripts arbitrarios en el campo "label" de la política personalizada secundaria. • http://www.securityfocus.com/bid/107272 https://security.netapp.com/advisory/ntap-20190304-0002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface. NetApp SnapCenter Server desde la versión 1.1 hasta las 2.x es susceptible a Cross-Site Request Forgery (CSRF), vulnerabilidad que se podría utilizar para provocar una acción autenticada no deseada en la interfaz de usuario. • https://security.netapp.com/advisory/ntap-20171114-0001 • CWE-352: Cross-Site Request Forgery (CSRF) •