Vulnerabilities for Retail back office (...) - CXSECURITY.COM

Vulnerabilities for 'Retail back office'

2018-05-24

CVE-2018-8013

CWE-502

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

2018-05-11

CVE-2018-1258

CWE-863

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

2018-04-18

CVE-2018-2861

CWE-noinfo

Vulnerability in the Oracle Retail Back Office component of Oracle Retail Applications (subcomponent: Security). Supported versions that are affected are 13.4.9, 14.0.4 and 14.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Back Office. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Back Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Back Office. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

2018-04-06

CVE-2018-1272

CWE-noinfo

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1271

CWE-22

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

CVE-2018-1270

CWE-358

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

2017-10-19

CVE-2017-10423

CWE-noinfo

Vulnerability in the Oracle Retail Back Office component of Oracle Retail Applications (subcomponent: Security). Supported versions that are affected are 13.2, 13.3, 13.4, 14.0 and 14.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Back Office. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Retail Back Office, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Back Office accessible data as well as unauthorized read access to a subset of Oracle Retail Back Office accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

>>> Vendor: Oracle 744 Products

Database server

Database assistant

Application server

Internet directory

E-business suite

Application server web cache

Corporate time outlook connector

Application server portal

Collaboration suite

Enterprise manager

Enterprise manager database control

Enterprise manager grid control

Database server lite

10g reports server

10g enterprise manager database control

Enterprise manager application server control

Peoplesoft enterprise

Peoplesoft enterprise customer relationship management

Application server discussion forum portlet

Peoplesoft enterprise portal

10g enterprise manager grid control

Developer suite

Collaboration suite 10g release 1

Peoplesoft enterprise tools

Rapid install web server

Peoplesoft enterprise human capital management

Peoplesoft enterprise peopletools

Secure enterprise search

Enterprise grid console server

Application server 9i

Application express

Application server 10g

E-business suite 11i

E-business suite 12

Peoplesoft hcm eperformance

Siebel enterprise

Bea product suite

Weblogic server

Webloic server component

Weblogic server component

Oracle portal component

Report manager component

Application object library

Advanced replication

Enterprise manager 10g

Instance management component

Advanced replication component

Oracle database

Oracle application server

Mobile application server

Times ten client server component

Times ten in memory database

Times ten client server

Spatial component

Data pump component

Authentication component

Advanced queuing component

Oracle applications technology stack component

Core rdbms component

Hyperion bi plus component

Database scheduler

Oracle http server component

Jd edwards enterpriseone

Peoplesoft peopletools component

Peoplesoft peopletools

Glassfish server

Jd edwards enterpriseone ep

Weblogic workshop

Timesten in-memory database

Enterprise manager grid control 10g

See all Products for Vendor Oracle

Copyright 2024, cxsecurity.com