Show filters
46 Total Results
Displaying 1-10 of 46
Sort by:
Attacker Value
Low
CVE-2019-11358
Disclosure Date: April 20, 2019 (last updated February 17, 2024)
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
6
Attacker Value
Moderate
CVE-2019-13990
Disclosure Date: July 26, 2019 (last updated December 23, 2023)
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
2
Attacker Value
Unknown
CVE-2017-12617
Disclosure Date: October 04, 2017 (last updated July 17, 2024)
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
1
Attacker Value
Unknown
CVE-2021-36374
Disclosure Date: July 14, 2021 (last updated November 08, 2023)
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
0
Attacker Value
Unknown
CVE-2020-10683
Disclosure Date: May 01, 2020 (last updated February 21, 2025)
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
0
Attacker Value
Unknown
CVE-2020-9488
Disclosure Date: April 27, 2020 (last updated February 21, 2025)
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
0
Attacker Value
Unknown
CVE-2019-10219
Disclosure Date: November 08, 2019 (last updated November 08, 2023)
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
0
Attacker Value
Unknown
CVE-2019-17359
Disclosure Date: October 08, 2019 (last updated November 08, 2023)
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
0
Attacker Value
Unknown
CVE-2019-5482
Disclosure Date: September 16, 2019 (last updated November 08, 2023)
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
0
Attacker Value
Unknown
CVE-2019-10086
Disclosure Date: August 20, 2019 (last updated November 08, 2023)
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
0