4 results (0.012 seconds)

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://www.soapui.org/downloads/latest-release/release-notes https://www.zerodayinitiative.com/advisories/ZDI-24-1100 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 2

An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project. Se detectó un problema en SmartBear ReadyAPI versiones hasta 2.8.2 y 3.0.0 y SoapUI versiones hasta 5.5. • https://github.com/0x-nope/CVE-2019-12180 https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file. a funcionalidad de importación de proyectos en SoapUI 5.3.0 permite que los atacantes remotos ejecuten código Java arbitrario mediante un parámetro request manipulado en un archivo de proyecto WSDL. SoapUI suffers from an arbitrary code execution vulnerability via a maliciously imported project. • http://packetstormsecurity.com/files/146339/SoapUI-5.3.0-Code-Execution.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.3EPSS: 73%CPEs: 17EXPL: 3

The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file. La funcionalidad de importación WSDL/WADL en SoapUI anteriores a 4.6.4 permite a atacantes remotos ejecutar código Java arbitrario a través de parámetros de petición manipulados en un fichero WSDL. SoapUI versions prior to 4.6.4 suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/30908 http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html http://packetstormsecurity.com/files/124773/SoapUI-Remote-Code-Execution.html http://www.exploit-db.com/exploits/30908 http://www.youtube.com/watch?v=3lCLE64rsc0 https://github.com/SmartBear/soapui/blob/master/RELEASENOTES.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •