Filtered by vendor Oracle Subscriptions
Filtered by product Communications Unified Inventory Management Subscriptions
Total 72 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-3738 3 Dell, Mcafee, Oracle 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more 2024-11-21 6.5 Medium
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-17091 2 Eclipse, Oracle 23 Mojarra, Application Testing Suite, Banking Enterprise Product Manufacturing and 20 more 2024-11-21 6.1 Medium
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.
CVE-2019-11358 11 Backdropcms, Debian, Drupal and 8 more 114 Backdrop, Debian Linux, Drupal and 111 more 2024-11-21 6.1 Medium
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-10219 3 Netapp, Oracle, Redhat 199 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 196 more 2024-11-21 6.1 Medium
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVE-2019-10173 3 Oracle, Redhat, Xstream Project 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more 2024-11-21 9.8 Critical
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVE-2019-10086 6 Apache, Debian, Fedoraproject and 3 more 73 Commons Beanutils, Nifi, Debian Linux and 70 more 2024-11-21 7.3 High
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CVE-2018-2571 1 Oracle 1 Communications Unified Inventory Management 2024-11-21 N/A
Vulnerability in the Oracle Communications Unified Inventory Management component of Oracle Communications Applications (subcomponent: Portal). Supported versions that are affected are 7.2.4.2.x and 7.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
CVE-2018-2570 1 Oracle 1 Communications Unified Inventory Management 2024-11-21 N/A
Vulnerability in the Oracle Communications Unified Inventory Management component of Oracle Communications Applications (subcomponent: Portal). Supported versions that are affected are 7.2.4.2.x and 7.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Unified Inventory Management. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVE-2018-1257 3 Oracle, Redhat, Vmware 32 Agile Product Lifecycle Management, Application Testing Suite, Big Data Discovery and 29 more 2024-11-21 6.5 Medium
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
CVE-2018-15756 4 Debian, Oracle, Redhat and 1 more 42 Debian Linux, Agile Plm, Communications Brm - Elastic Charging Engine and 39 more 2024-11-21 7.5 High
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVE-2018-11040 3 Debian, Oracle, Vmware 28 Debian Linux, Agile Product Lifecycle Management, Application Testing Suite and 25 more 2024-11-21 7.5 High
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CVE-2018-11039 3 Debian, Oracle, Vmware 33 Debian Linux, Agile Plm, Application Testing Suite and 30 more 2024-11-21 5.9 Medium
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.