CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 1CVE-2014-2228
https://notcve.org/view.php?id=CVE-2014-2228
19 Feb 2020 — The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages. La extensión XStream en HP Fortify SCA versiones anteriores a 2.2 RC3, permite a atacantes remotos ejecutar código arbitrario por medio de una deserialización no segura de mensajes XML. • https://web.archive.org/web/20140425095352/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Remote-code-execution-and-XML-Entity-Expansion-injection/ba-p/6403370 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14868
https://notcve.org/view.php?id=CVE-2017-14868
30 Nov 2017 — Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. Las versiones anteriores a la 2.3.11 de Restlet Framework, al emplear SimpleXMLProvider, permiten que atacantes remotos acedan a archivos arbitrarios mediante un ataque de XXE en una petición HTTP de la API REST. Esto afecta al uso de la extensión Jax-rs. • https://github.com/restlet/restlet-framework-java/issues/1286 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2017-14949
https://notcve.org/view.php?id=CVE-2017-14949
30 Nov 2017 — Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. Las versiones anteriores a la 2.3.12 de Restlet Framework permiten que atacantes remotos accedan a archivos arbitrarios mediante una petición HTTP de la API REST qu... • https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0CVE-2014-1868
https://notcve.org/view.php?id=CVE-2014-1868
06 Oct 2014 — Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack. Restlet Framework 2.1.x anterior a 2.1.7 y 2.x.x anterior a 2.2 RC1, cuando utiliza los serializadores XMLRepresentation o XML, permite a atacantes causar una denegación de servicio a través de un ataque de la expansión de la entidad XML (XEE). • http://secunia.com/advisories/56940 •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2013-4271 – Restlet: remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-4271
07 Oct 2013 — The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. La configuración por defecto de la clase ObjectRepresentation en Restlet anterior a la versión 2.1.4 deserializa objetos de fuentes no confiables, lo que permite a atacantes remotos ejecutar código Java arbitrario a través de objetos serializados, una... • http://restlet.org/learn/2.1/changes • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 1%CPEs: 16EXPL: 0CVE-2013-4221 – Restlet: remote code execution due to insecure XML deserialization
https://notcve.org/view.php?id=CVE-2013-4221
07 Oct 2013 — The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML. La configuración por defecto de la clase ObjectRepresentation en Restlet anterior a la versión 2.1.4 deserializa objetos desde fuentes no confiables usando Java XMLDecoder, lo que permite a atacantes remotos ejecutar código Java arbitrario a través de XML manipulado. Red Hat JBo... • http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html • CWE-16: Configuration CWE-91: XML Injection (aka Blind XPath Injection) •