Filtered by vendor Oracle
Subscribe
Filtered by product Communications Session Report Manager
Subscribe
Total
68 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 55 Debian Linux, Drupal, Fedora and 52 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
CVE-2020-24616 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | |||||
CVE-2020-9490 | 7 Apache, Canonical, Debian and 4 more | 25 Http Server, Ubuntu Linux, Debian Linux and 22 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. | |||||
CVE-2020-10673 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | |||||
CVE-2020-1941 | 2 Apache, Oracle | 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. | |||||
CVE-2020-14062 | 4 Debian, Fasterxml, Netapp and 1 more | 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | |||||
CVE-2020-14061 | 4 Debian, Fasterxml, Netapp and 1 more | 15 Debian Linux, Jackson-databind, Active Iq Unified Manager and 12 more | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | |||||
CVE-2020-10968 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | |||||
CVE-2020-1934 | 6 Apache, Canonical, Debian and 3 more | 11 Http Server, Ubuntu Linux, Debian Linux and 8 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. | |||||
CVE-2020-11111 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 22 more | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | |||||
CVE-2020-11655 | 7 Canonical, Debian, Netapp and 4 more | 18 Ubuntu Linux, Debian Linux, Ontap Select Deploy Administration Utility and 15 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. | |||||
CVE-2020-11112 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | |||||
CVE-2020-11984 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | |||||
CVE-2020-11993 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. | |||||
CVE-2020-5398 | 3 Netapp, Oracle, Vmware | 33 Data Availability Services, Snapcenter, Application Testing Suite and 30 more | 2023-12-10 | 7.6 HIGH | 7.5 HIGH |
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. | |||||
CVE-2019-17573 | 2 Apache, Oracle | 7 Cxf, Commerce Guided Search, Communications Element Manager and 4 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable. | |||||
CVE-2020-9548 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | |||||
CVE-2019-10097 | 2 Apache, Oracle | 8 Http Server, Communications Element Manager, Communications Session Report Manager and 5 more | 2023-12-10 | 6.0 MEDIUM | 7.2 HIGH |
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. | |||||
CVE-2020-9546 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | |||||
CVE-2019-12423 | 2 Apache, Oracle | 8 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 5 more | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all. |