GitHub

[org.apache.portals.jetspeed-2:jetspeed] Cross-site Scripting in Apache Jetspeed

Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-0712
https://mail-archives.apache…

[org.apache.tomcat:tomcat] Deserialization of Untrusted Data in Apache Tomcat

Posted inHIGH
Posted byGitHub
05/17/202211/04/2022

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file…

[org.apache.struts:struts2-core] Remote Code Execution in Apache Struts

XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-3082
http://struts.apache.org/docs/…

[org.apache.struts:struts2-core] Code injection in Apache Struts

Posted inHIGH
Posted byGitHub
05/17/202211/04/2022

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-4316
http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html
…

[org.jruby:jruby] Ruby vulnerable to denial of service

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Jruby resolves this bug in version 1.7.3 as not…

[org.apache.geode:geode-core] Apache Geode information disclosure vulnerability

Posted inHIGH
Posted byGitHub
05/17/202211/08/2022

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute …

[org.apache.sling:org.apache.sling.xss] XML External Entity Reference in Apache Sling

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially…

[org.apache.struts:struts2-core] Possible DoS attack when using URLValidator

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-4465
https://bugzilla….

[org.apache.struts:struts2-core] Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
References

https://nvd.nist.gov/vuln/detail/CVE-2012-4387
https://exchange.xf…

[org.apache.struts:struts2-core] Cross-Site Request Forgery in Apache Struts

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[bitlyshortener] Package discontinued because Bitly lowered the free quota

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability