|
2019-10-10
|
CVE-2019-17495
|
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
|
Banking_apis, Banking_digital_experience, Banking_platform, Primavera_gateway, Utilities_framework, Swagger_ui
|
9.8
|
|
|
|
2019-11-08
|
CVE-2019-10219
|
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
|
Active_iq_unified_manager, Element, Management_services_for_element_software_and_netapp_hci, Snapcenter_plug\-In, Access_manager, Agile_engineering_data_management, Agile_plm, Agile_product_lifecycle_analytics, Agile_product_lifecycle_management_integration_pack, Airlines_data_model, Application_express, Application_performance_management, Application_testing_suite, Argus_analytics, Argus_insight, Argus_safety, Banking_apis, Banking_deposits_and_lines_of_credit_servicing, Banking_digital_experience, Banking_enterprise_default_management, Banking_enterprise_default_managment, Banking_loans_servicing, Banking_party_management, Banking_platform, Bi_publisher, Big_data_spatial_and_graph, Business_activity_monitoring, Business_intelligence, Business_process_management_suite, Clinical, Commerce_guided_search, Commerce_platform, Communications_application_session_controller, Communications_billing_and_revenue_management, Communications_billing_and_revenue_management_elastic_charging_engine, Communications_calendar_server, Communications_cloud_native_core_automated_test_suite, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_console, Communications_cloud_native_core_network_function_cloud_native_environment, Communications_cloud_native_core_network_repository_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_service_communication_proxy, Communications_cloud_native_core_unified_data_repository, Communications_contacts_server, Communications_converged_application_server_\-_service_controller, Communications_convergence, Communications_convergent_charging_controller, Communications_data_model, Communications_design_studio, Communications_diameter_signaling_route, Communications_eagle_application_processor, Communications_instant_messaging_server, Communications_interactive_session_recorder, Communications_messaging_server, Communications_metasolv_solution, Communications_network_charging_and_control, Communications_network_integrity, Communications_offline_mediation_controller, Communications_operations_monitor, Communications_pricing_design_center, Communications_service_broker, Communications_services_gatekeeper, Communications_session_border_controller, Communications_unified_inventory_management, Communications_webrtc_session_controller, Data_integrator, Database_server, Demantra_demand_management, Documaker, E\-Business_suite, Enterprise_communications_broker, Enterprise_data_quality, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Enterprise_session_border_controller, Essbase, Essbase_administration_services, Financial_services_analytical_applications_infrastructure, Financial_services_behavior_detection_platform, Financial_services_enterprise_case_management, Financial_services_foreign_account_tax_compliance_act_management, Financial_services_model_management_and_governance, Financial_services_trade\-Based_anti_money_laundering, Flexcube_investor_servicing, Flexcube_private_banking, Fujitsu_m10\-1_firmware, Fujitsu_m10\-4_firmware, Fujitsu_m10\-4s_firmware, Fujitsu_m12\-1_firmware, Fujitsu_m12\-2_firmware, Fujitsu_m12\-2s_firmware, Fusion_middleware, Fusion_middleware_mapviewer, Goldengate, Goldengate_application_adapters, Graalvm, Graph_server_and_client, Health_sciences_clinical_development_analytics, Health_sciences_inform_crf_submit, Health_sciences_information_manager, Healthcare_data_repository, Healthcare_foundation, Healthcare_translational_research, Hospitality_cruise_shipboard_property_management_system, Hospitality_opera_5_property_services, Hospitality_reporting_and_analytics, Hospitality_suite8, Http_server, Hyperion_financial_management, Hyperion_ilearning, Hyperion_infrastructure_technology, Instantis_enterprisetrack, Insurance_data_gateway, Insurance_insbridge_rating_and_underwriting, Insurance_policy_administration, Insurance_policy_administration_j2ee, Insurance_rules_palette, Java_se, Jd_edwards_enterpriseone_orchestrator, Jdk, Managed_file_transfer, Mysql_cluster, Mysql_connectors, Mysql_server, Mysql_workbench, Nosql_database, Oss_support_tools, Peoplesoft_enterprise_cs_sa_integration_pack, Peoplesoft_enterprise_people_tools, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_analytics, Primavera_data_warehouse, Primavera_gateway, Primavera_p6_enterprise_project_portfolio_management, Primavera_p6_professional_project_management, Primavera_portfolio_management, Primavera_unifier, Rapid_planning, Real\-Time_decision_server, Real_user_experience_insight, Rest_data_services, Retail_allocation, Retail_analytics, Retail_assortment_planning, Retail_back_office, Retail_central_office, Retail_customer_insights, Retail_customer_management_and_segmentation_foundation, Retail_eftlink, Retail_extract_transform_and_load, Retail_financial_integration, Retail_fiscal_management, Retail_integration_bus, Retail_invoice_matching, Retail_merchandising_system, Retail_order_broker, Retail_order_management_system, Retail_point\-Of\-Sale, Retail_predictive_application_server, Retail_price_management, Retail_returns_management, Retail_service_backbone, Retail_size_profile_optimization, Retail_xstore_point_of_service, Sd\-Wan_aware, Sd\-Wan_edge, Secure_backup, Siebel_applications, Solaris, Spatial_studio, Thesaurus_management_system, Timesten_in\-Memory_database, Utilities_framework, Utilities_testing_accelerator, Vm_virtualbox, Webcenter_portal, Weblogic_server, Zfs_storage_appliance_kit, Zfs_storage_application_integration_engineering_software, Fuse, Hibernate_validator, Jboss_data_grid, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On
|
6.1
|
|
|
|
2020-04-27
|
CVE-2020-9488
|
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
|
Log4j, Debian_linux, Communications_application_session_controller, Communications_billing_and_revenue_management, Communications_eagle_ftp_table_base_retrieval, Communications_offline_mediation_controller, Communications_services_gatekeeper, Communications_unified_inventory_management, Data_integrator, Enterprise_manager_for_peoplesoft, Financial_services_analytical_applications_infrastructure, Financial_services_institutional_performance_analytics, Financial_services_market_risk_measurement_and_management, Financial_services_price_creation_and_discovery, Financial_services_retail_customer_analytics, Flexcube_core_banking, Flexcube_private_banking, Health_sciences_information_manager, Insurance_insbridge_rating_and_underwriting, Insurance_policy_administration_j2ee, Insurance_rules_palette, Jd_edwards_world_security, Oracle_goldengate_application_adapters, Peoplesoft_enterprise_peopletools, Policy_automation, Policy_automation_connector_for_siebel, Policy_automation_for_mobile_devices, Primavera_unifier, Retail_advanced_inventory_planning, Retail_assortment_planning, Retail_bulk_data_integration, Retail_customer_management_and_segmentation_foundation, Retail_eftlink, Retail_insights_cloud_service_suite, Retail_integration_bus, Retail_order_broker_cloud_service, Retail_predictive_application_server, Retail_xstore_point_of_service, Siebel_apps_\-_marketing, Siebel_ui_framework, Spatial_and_graph, Storagetek_acsls, Storagetek_tape_analytics_sw_tool, Utilities_framework, Weblogic_server, Reload4j
|
3.7
|
|
|
|
2020-05-01
|
CVE-2020-10683
|
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
|
Ubuntu_linux, Dom4j, Oncommand_api_services, Oncommand_workflow_automation, Snap_creator_framework, Snapcenter, Snapmanager, Leap, Agile_plm, Application_testing_suite, Banking_platform, Business_process_management_suite, Communications_application_session_controller, Communications_diameter_signaling_router, Communications_unified_inventory_management, Data_integrator, Documaker, Endeca_information_discovery_integrator, Enterprise_data_quality, Enterprise_manager_base_platform, Financial_services_analytical_applications_infrastructure, Flexcube_core_banking, Fusion_middleware, Health_sciences_empirica_signal, Health_sciences_information_manager, Insurance_policy_administration_j2ee, Insurance_rules_palette, Jdeveloper, Primavera_p6_enterprise_project_portfolio_management, Rapid_planning, Retail_customer_management_and_segmentation_foundation, Retail_integration_bus, Retail_order_broker, Retail_price_management, Retail_xstore_point_of_service, Storagetek_tape_analytics_sw_tool, Utilities_framework, Webcenter_portal
|
9.8
|
|
|
|
2020-05-14
|
CVE-2020-1945
|
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
|
Ant, Ubuntu_linux, Fedora, Leap, Agile_engineering_data_management, Banking_enterprise_collections, Banking_liquidity_management, Banking_platform, Business_process_management_suite, Category_management_planning_\&_optimization, Communications_asap, Communications_diameter_signaling_router, Communications_metasolv_solution, Communications_order_and_service_management, Data_integrator, Endeca_information_discovery_studio, Enterprise_manager_ops_center, Enterprise_repository, Financial_services_analytical_applications_infrastructure, Flexcube_investor_servicing, Flexcube_private_banking, Health_sciences_information_manager, Primavera_gateway, Primavera_unifier, Rapid_planning, Real\-Time_decision_server, Retail_advanced_inventory_planning, Retail_assortment_planning, Retail_back_office, Retail_bulk_data_integration, Retail_central_office, Retail_data_extractor_for_merchandising, Retail_extract_transform_and_load, Retail_financial_integration, Retail_integration_bus, Retail_item_planning, Retail_macro_space_optimization, Retail_merchandise_financial_planning, Retail_merchandising_system, Retail_point\-Of\-Service, Retail_predictive_application_server, Retail_regular_price_optimization, Retail_replenishment_optimization, Retail_returns_management, Retail_service_backbone, Retail_size_profile_optimization, Retail_store_inventory_management, Retail_xstore_point_of_service, Timesten_in\-Memory_database, Utilities_framework
|
6.3
|
|
|
|
2020-10-01
|
CVE-2020-11979
|
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
|
Ant, Fedora, Gradle, Agile_engineering_data_management, Api_gateway, Banking_platform, Banking_treasury_management, Communications_unified_inventory_management, Data_integrator, Endeca_information_discovery_studio, Enterprise_repository, Financial_services_analytical_applications_infrastructure, Flexcube_private_banking, Primavera_gateway, Primavera_unifier, Real\-Time_decision_server, Retail_advanced_inventory_planning, Retail_assortment_planning, Retail_category_management_planning_\&_optimization, Retail_eftlink, Retail_financial_integration, Retail_integration_bus, Retail_item_planning, Retail_macro_space_optimization, Retail_merchandise_financial_planning, Retail_merchandising_system, Retail_predictive_application_server, Retail_regular_price_optimization, Retail_replenishment_optimization, Retail_service_backbone, Retail_size_profile_optimization, Retail_store_inventory_management, Retail_xstore_point_of_service, Storagetek_acsls, Storagetek_tape_analytics, Timesten_in\-Memory_database, Utilities_framework
|
7.5
|
|
|
|
2020-12-03
|
CVE-2020-25649
|
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
|
Iotdb, Jackson\-Databind, Fedora, Oncommand_api_services, Oncommand_workflow_automation, Service_level_manager, Agile_plm, Agile_product_lifecycle_management_integration_pack, Banking_apis, Banking_platform, Banking_treasury_management, Blockchain_platform, Coherence, Commerce_platform, Communications_billing_and_revenue_management, Communications_cloud_native_core_unified_data_repository, Communications_convergent_charging_controller, Communications_evolved_communications_application_server, Communications_instant_messaging_server, Communications_interactive_session_recorder, Communications_messaging_server, Communications_network_charging_and_control, Communications_offline_mediation_controller, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_unified_inventory_management, Goldengate_application_adapters, Health_sciences_empirica_signal, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Retail_service_backbone, Retail_xstore_point_of_service, Sd\-Wan_edge, Utilities_framework, Webcenter_portal, Quarkus
|
7.5
|
|
|
|
2020-12-18
|
CVE-2020-28052
|
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
|
Karaf, Legion\-Of\-The\-Bouncy\-Castle\-Java\-Crytography\-Api, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_extensibility_workbench, Banking_supply_chain_finance, Banking_virtual_account_management, Blockchain_platform, Commerce_guided_search, Communications_application_session_controller, Communications_cloud_native_core_network_slice_selection_function, Communications_convergence, Communications_messaging_server, Communications_pricing_design_center, Communications_session_report_manager, Communications_session_route_manager, Jd_edwards_enterpriseone_tools, Peoplesoft_enterprise_peopletools, Utilities_framework, Webcenter_portal
|
8.1
|
|
|
|
2021-02-23
|
CVE-2021-27568
|
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
|
Json\-Smart\-V1, Json\-Smart\-V2, Communications_cloud_native_core_policy, Oss_support_tools, Peoplesoft_enterprise_peopletools, Utilities_framework, Weblogic_server
|
5.9
|
|
|
|
2021-07-14
|
CVE-2021-36373
|
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
|
Ant, Agile_plm, Banking_trade_finance, Banking_treasury_management, Communications_cloud_native_core_automated_test_suite, Communications_cloud_native_core_binding_support_function, Communications_order_and_service_management, Communications_unified_inventory_management, Enterprise_repository, Financial_services_analytical_applications_infrastructure, Insurance_policy_administration, Primavera_gateway, Primavera_unifier, Real\-Time_decision_server, Retail_advanced_inventory_planning, Retail_back_office, Retail_bulk_data_integration, Retail_central_office, Retail_eftlink, Retail_extract_transform_and_load, Retail_financial_integration, Retail_integration_bus, Retail_invoice_matching, Retail_merchandising_system, Retail_point\-Of\-Service, Retail_predictive_application_server, Retail_service_backbone, Retail_store_inventory_management, Retail_xstore_point_of_service, Timesten_in\-Memory_database, Utilities_framework, Utilities_testing_accelerator
|
5.5
|
|
|