CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0CVE-2023-1932 – Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
https://notcve.org/view.php?id=CVE-2023-1932
07 Nov 2024 — A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. Se encontró una falla en el método 'isValid' de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la ... • https://access.redhat.com/security/cve/CVE-2023-1932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 76%CPEs: 72EXPL: 1CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
14 Dec 2021 — JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in Au... • https://github.com/cckuailong/log4shell_1.x • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.9EPSS: 0%CPEs: 21EXPL: 0CVE-2020-14340 – xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS
https://notcve.org/view.php?id=CVE-2020-14340
13 Oct 2020 — A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final. Se detectó una vulnerabilidad en XNIO en la que se produce un filtrado de descriptores de archivos causada por el crecimiento de la cantidad de manejadores de archivos NIO Selector entre los ciclos de recolección de basura. Puede permitir al ... • https://bugzilla.redhat.com/show_bug.cgi?id=1860218 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2012-5626
https://notcve.org/view.php?id=CVE-2012-5626
23 Jan 2020 — EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation. El método EJB en Red Hat JBoss BRMS versión 5; Red Hat JBoss Enterprise Application Platform versión 5; Red Hat JBoss Operations Network versión 3.1; Red Hat JBoss Portal versiones 4 y 5; Red Hat JBoss SOA Platform versio... • https://access.redhat.com/security/cve/cve-2012-5626 •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2008-5083
https://notcve.org/view.php?id=CVE-2008-5083
07 Nov 2019 — In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON. En JON versiones 2.1.x anteriores a 2.1.2 SP1, los usuarios pueden obtener información de seguridad no autorizada sobre recursos privados administrados por JBoss ON. • https://access.redhat.com/security/cve/cve-2008-5083 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4374
https://notcve.org/view.php?id=CVE-2013-4374
04 Nov 2019 — An insecurity temporary file vulnerability exists in RHQ Mongo DB Drift Server through 2013-09-25 when unpacking zipped files. Existe una vulnerabilidad de archivo temporal de inseguridad en RHQ Mongo DB Drift Server hasta el 25-09-2013 cuando se descomprimen archivos comprimidos. • https://access.redhat.com/security/cve/cve-2013-4374 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2010-0737
https://notcve.org/view.php?id=CVE-2010-0737
30 Oct 2019 — A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user. Se detectó una falta de comprobación de permiso en la CLI en JBoss Operations Network versiones anteriores a 2.3.1, no comprueba apropiadamente los permisos, lo que permite a usuarios de JBoss ON llevar a cabo tareas de administración y cambios de configura... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0737 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3834
https://notcve.org/view.php?id=CVE-2019-3834
03 Oct 2019 — It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reve... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 9.8EPSS: 18%CPEs: 16EXPL: 0CVE-2016-6330
https://notcve.org/view.php?id=CVE-2016-6330
27 Sep 2016 — The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737. El servidor en Red Hat JBoss Operations Network (JON), cuando la autenticación SSL no está configurada para comunicación de agente servidor JON, permite a atacantes remotos ejecutar có... • http://www.securityfocus.com/bid/92568 • CWE-502: Deserialization of Untrusted Data •