RSS   Vulnerabilities for 'Retail open commerce platform'   RSS

2019-03-21
 
CVE-2018-12023

CWE-502
 

 
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

 
2018-10-16
 
CVE-2018-3122

CWE-noinfo
 

 
Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Integrations). Supported versions that are affected are 6.0, 6.0.1 and 5.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Open Commerce Platform. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Open Commerce Platform accessible data as well as unauthorized access to critical data or complete access to all Oracle Retail Open Commerce Platform accessible data. CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

 
2018-05-11
 
CVE-2018-1257

CWE-20
 

 
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

 
2018-04-11
 
CVE-2018-1275

CWE-358
 

 
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

 
2018-04-06
 
CVE-2018-1272

CWE-noinfo
 

 
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

 
 
CVE-2018-1271

CWE-22
 

 
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

 
 
CVE-2018-1270

CWE-358
 

 
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

 
2017-04-17
 
CVE-2017-5645

CWE-502
 

 
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

 

 >>> Vendor: Oracle 636 Products
Oracle8i
Database server
Http server
Database assistant
Web listener
Application server
Listener
Internet directory
Oracle9i
E-business suite
JSP
Application server web cache
Corporate time outlook connector
Reports
Configurator
Applications
Oracle files
Application server portal
Collaboration suite
Enterprise manager
Enterprise manager database control
Enterprise manager grid control
Oracle10g
Database server lite
10g reports server
Forms
Jdeveloper
Forms builder
Html db
Clinical
10g enterprise manager database control
Enterprise manager application server control
Peoplesoft enterprise
Enterpriseone
Peoplesoft enterprise customer relationship management
Application server discussion forum portlet
Peoplesoft enterprise portal
Oracle client
10g enterprise manager grid control
Developer suite
Workflow
Diagnostics
Collaboration suite 10g release 1
Peoplesoft enterprise tools
Pharmaceutical
Exchange
APEX
Rapid install web server
Peoplesoft enterprise human capital management
Peoplesoft enterprise peopletools
Secure enterprise search
Jinitiator
Enterprise grid console server
Opmn daemon
Application server 9i
Application express
Database 9i
Application server 10g
Database 10g
Database 11g
E-business suite 11i
E-business suite 12
Peoplesoft hcm eperformance
Siebel enterprise
Bea product suite
Weblogic server
Webloic server component
Weblogic server component
Oracle portal component
Report manager component
Application object library
Advanced replication
Enterprise manager 10g
Instance management component
Advanced replication component
Oracle database
Oracle application server
Mobile application server
Times ten client server component
Times ten in memory database
Times ten client server
Spatial component
Data pump component
Authentication component
Advanced queuing component
Oracle applications technology stack component
Core rdbms component
Hyperion bi plus component
Database scheduler
Oracle http server component
Jd edwards enterpriseone
Peoplesoft peopletools component
Peoplesoft peopletools
Glassfish server
Database 11i
Jd edwards enterpriseone ep
Secure backup
Weblogic workshop
Timesten in-memory database
Enterprise manager grid control 10g
See all Products for Vendor Oracle


Copyright 2019, cxsecurity.com

 

Back to Top