CWE:
 

Tytuł
Data
Autor
Med.
LISTSERV Maestro 9.0-8 Remote Code Execution
21.10.2020
b0yd

Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2023-09-12
Waiting for details
CVE-2023-41331
Updating...
 
 
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

 
2023-07-12
Waiting for details
CVE-2022-42009
Updating...
 
 
SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

 
Waiting for details
CVE-2022-45855
Updating...
 
 
SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

 
Waiting for details
CVE-2023-32200
Updating...
 
 
There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.

 
2023-04-25
Waiting for details
CVE-2023-22665
Updating...
 
 
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

 
2022-09-24
Waiting for details
CVE-2022-23463
Updating...
 
 
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver�??s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.

 
2022-06-23
Medium
CVE-2022-22980
Vendor: Vmware
Software: Spring data ...
 
 
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

 
2022-04-12
Medium
CVE-2021-31805
Vendor: Apache
Software: Struts
 
 
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag�??s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

 
2020-11-26
Medium
CVE-2020-7779
Vendor: Djvalidator project
Software: Djvalidator
 
 
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.

 
2020-10-19
High
CVE-2020-7181
Vendor: HP
Software: Intelligent ...
 
 
A smsrulesdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

 

 

Copyright 2024, cxsecurity.com

 

Back to Top