Total
11 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-9488 | 4 Apache, Debian, Oracle and 1 more | 46 Log4j, Debian Linux, Communications Application Session Controller and 43 more | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 | |||||
CVE-2020-5421 | 3 Netapp, Oracle, Vmware | 38 Oncommand Insight, Snap Creator Framework, Snapcenter and 35 more | 2024-11-21 | 3.6 LOW | 6.5 MEDIUM |
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. | |||||
CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 55 Debian Linux, Drupal, Fedora and 52 more | 2024-11-21 | 4.3 MEDIUM | 6.9 MEDIUM |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
CVE-2020-10683 | 5 Canonical, Dom4j Project, Netapp and 2 more | 38 Ubuntu Linux, Dom4j, Oncommand Api Services and 35 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | |||||
CVE-2019-3740 | 2 Dell, Oracle | 18 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 15 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys. | |||||
CVE-2019-3739 | 2 Dell, Oracle | 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys. | |||||
CVE-2019-3738 | 3 Dell, Mcafee, Oracle | 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key. | |||||
CVE-2019-2729 | 1 Oracle | 9 Communications Diameter Signaling Router, Communications Network Integrity, Hyperion Infrastructure Technology and 6 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
CVE-2019-2725 | 1 Oracle | 8 Agile Plm, Communications Converged Application Server, Peoplesoft Enterprise Peopletools and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
CVE-2019-11358 | 11 Backdropcms, Debian, Drupal and 8 more | 105 Backdrop, Debian Linux, Drupal and 102 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | |||||
CVE-2015-4852 | 1 Oracle | 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. |