Max CVSS | 7.5 | Min CVSS | 2.1 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2016-1000338 | 5.0 |
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in s
|
29-08-2024 - 11:09 | 01-06-2018 - 20:29 | |
CVE-2020-10969 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
|
03-07-2024 - 01:36 | 26-03-2020 - 13:15 | |
CVE-2020-10968 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
|
03-07-2024 - 01:36 | 26-03-2020 - 13:15 | |
CVE-2017-15100 | 4.3 |
An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on
|
15-02-2024 - 21:36 | 27-11-2017 - 14:29 | |
CVE-2020-9548 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
|
13-09-2023 - 14:57 | 02-03-2020 - 04:15 | |
CVE-2020-9547 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
|
13-09-2023 - 14:57 | 02-03-2020 - 04:15 | |
CVE-2017-15095 | 7.5 |
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMappe
|
13-09-2023 - 14:23 | 06-02-2018 - 15:29 | |
CVE-2019-12086 | 5.0 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja
|
13-09-2023 - 14:16 | 17-05-2019 - 17:29 | |
CVE-2020-8840 | 7.5 |
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
|
08-06-2023 - 17:54 | 10-02-2020 - 21:56 | |
CVE-2019-10906 | 5.0 |
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
|
01-03-2023 - 14:56 | 07-04-2019 - 00:29 | |
CVE-2019-12387 | 4.3 |
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
|
28-02-2023 - 20:47 | 10-06-2019 - 12:29 | |
CVE-2020-8184 | 5.0 |
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
|
16-02-2023 - 19:24 | 19-06-2020 - 17:15 | |
CVE-2018-1097 | 4.0 |
A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource.
|
13-02-2023 - 04:53 | 04-04-2018 - 21:29 | |
CVE-2016-2100 | 6.5 |
Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.
|
13-02-2023 - 04:50 | 20-05-2016 - 14:59 | |
CVE-2013-2099 | 4.3 |
Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial
|
13-02-2023 - 04:42 | 09-10-2013 - 14:53 | |
CVE-2015-0224 | 5.0 |
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.
|
13-02-2023 - 00:45 | 30-10-2017 - 14:29 | |
CVE-2020-14380 | 6.0 |
An account takeover flaw was found in Red Hat Satellite 6.7.2 onward. A potential attacker with proper authentication to the relevant external authentication source (SSO or Open ID) can claim the privileges of already existing local users of Satellit
|
12-02-2023 - 23:40 | 02-06-2021 - 13:15 | |
CVE-2020-14334 | 4.6 |
A flaw was found in Red Hat Satellite 6 which allows privileged attacker to read cache files. These cache credentials could help attacker to gain complete control of the Satellite instance.
|
12-02-2023 - 23:40 | 31-07-2020 - 13:15 | |
CVE-2019-14825 | 4.0 |
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry cre
|
12-02-2023 - 23:34 | 25-11-2019 - 16:15 | |
CVE-2017-12175 | 3.5 |
Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.
|
12-02-2023 - 23:27 | 26-07-2018 - 17:29 | |
CVE-2018-10917 | 4.0 |
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso reposit
|
12-02-2023 - 22:15 | 15-08-2018 - 17:29 | |
CVE-2020-5267 | 3.5 |
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in
|
03-02-2023 - 16:39 | 19-03-2020 - 18:15 | |
CVE-2020-8161 | 5.0 |
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
|
02-02-2023 - 19:20 | 02-07-2020 - 19:15 | |
CVE-2020-7663 | 5.0 |
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-b
|
20-01-2023 - 18:22 | 02-06-2020 - 19:15 | |
CVE-2015-3208 | None |
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
|
12-01-2023 - 23:15 | 25-07-2017 - 18:29 | |
CVE-2019-3893 | 4.0 |
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resou
|
30-11-2022 - 22:00 | 09-04-2019 - 16:29 | |
CVE-2020-10716 | 4.0 |
A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and
|
21-10-2022 - 17:58 | 27-05-2021 - 19:15 | |
CVE-2019-10086 | 7.5 |
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by defa
|
25-07-2022 - 18:15 | 20-08-2019 - 21:15 | |
CVE-2018-10237 | 4.3 |
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray
|
29-06-2022 - 19:15 | 26-04-2018 - 21:29 | |
CVE-2020-10693 | 5.0 |
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping
|
10-05-2022 - 15:46 | 06-05-2020 - 14:15 | |
CVE-2018-5382 | 3.6 |
The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies t
|
20-04-2022 - 15:31 | 16-04-2018 - 14:29 | |
CVE-2017-5929 | 7.5 |
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
|
18-04-2022 - 17:58 | 13-03-2017 - 06:59 | |
CVE-2017-7536 | 4.4 |
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privi
|
10-03-2022 - 13:57 | 10-01-2018 - 15:29 | |
CVE-2020-7943 | 5.0 |
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain
|
24-01-2022 - 16:46 | 11-03-2020 - 23:15 | |
CVE-2017-10690 | 4.0 |
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
|
24-01-2022 - 16:46 | 09-02-2018 - 20:29 | |
CVE-2020-7942 | 4.0 |
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `
|
30-12-2021 - 13:33 | 19-02-2020 - 21:15 | |
CVE-2020-9546 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
|
02-12-2021 - 21:22 | 02-03-2020 - 04:15 | |
CVE-2020-14062 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
|
17-11-2021 - 20:21 | 14-06-2020 - 20:15 | |
CVE-2020-14195 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
|
17-11-2021 - 20:20 | 16-06-2020 - 16:15 | |
CVE-2020-14061 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, o
|
17-11-2021 - 16:56 | 14-06-2020 - 20:15 | |
CVE-2019-16782 | 4.3 |
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id.
|
02-11-2021 - 18:04 | 18-12-2019 - 20:15 | |
CVE-2018-1000632 | 5.0 |
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be explo
|
07-09-2021 - 06:15 | 20-08-2018 - 19:31 | |
CVE-2018-7536 | 5.0 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expr
|
04-08-2021 - 17:14 | 09-03-2018 - 20:29 | |
CVE-2020-7238 | 5.0 |
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869
|
27-05-2021 - 16:21 | 27-01-2020 - 17:15 | |
CVE-2020-11619 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
|
22-02-2021 - 21:29 | 07-04-2020 - 23:15 | |
CVE-2016-1000339 | 5.0 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lo
|
20-10-2020 - 22:15 | 04-06-2018 - 13:29 | |
CVE-2016-1000352 | 5.8 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
|
20-10-2020 - 22:15 | 04-06-2018 - 21:29 | |
CVE-2016-1000346 | 4.3 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in
|
20-10-2020 - 22:15 | 04-06-2018 - 21:29 | |
CVE-2016-1000345 | 4.3 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identif
|
20-10-2020 - 22:15 | 04-06-2018 - 21:29 | |
CVE-2016-1000344 | 5.8 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
|
20-10-2020 - 22:15 | 04-06-2018 - 21:29 | |
CVE-2016-1000342 | 5.0 |
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in
|
20-10-2020 - 22:15 | 04-06-2018 - 13:29 | |
CVE-2016-1000343 | 5.0 |
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generate
|
20-10-2020 - 22:15 | 04-06-2018 - 13:29 | |
CVE-2016-1000341 | 4.3 |
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacke
|
20-10-2020 - 22:15 | 04-06-2018 - 13:29 | |
CVE-2016-1000340 | 5.0 |
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom el
|
20-10-2020 - 22:15 | 04-06-2018 - 13:29 | |
CVE-2019-3891 | 2.1 |
It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify th
|
15-10-2020 - 19:58 | 15-04-2019 - 12:31 | |
CVE-2019-12086 | 5.0 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja
|
01-10-2020 - 00:15 | 17-05-2019 - 17:29 | |
CVE-2019-10198 | 4.0 |
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view th
|
30-09-2020 - 18:16 | 31-07-2019 - 22:15 | |
CVE-2019-10198 | 4.0 |
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view th
|
30-09-2020 - 18:16 | 31-07-2019 - 22:15 | |
CVE-2020-7238 | 5.0 |
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869
|
25-09-2020 - 20:15 | 27-01-2020 - 17:15 | |
CVE-2019-12781 | 5.0 |
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django vi
|
24-08-2020 - 17:37 | 01-07-2019 - 14:15 | |
CVE-2020-5217 | 5.0 |
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be inj
|
21-05-2020 - 13:51 | 23-01-2020 - 03:15 | |
CVE-2018-11751 | 4.8 |
Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0.
|
07-04-2020 - 13:10 | 16-12-2019 - 22:15 | |
CVE-2020-5216 | 5.0 |
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injec
|
18-02-2020 - 14:58 | 23-01-2020 - 03:15 | |
CVE-2018-1090 | 5.0 |
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
|
09-10-2019 - 23:38 | 18-06-2018 - 14:29 | |
CVE-2018-1096 | 4.0 |
An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database.
|
09-10-2019 - 23:38 | 05-04-2018 - 21:29 | |
CVE-2018-16470 | 5.0 |
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
|
09-10-2019 - 23:36 | 13-11-2018 - 23:29 | |
CVE-2019-0231 | 5.0 |
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.
|
08-10-2019 - 17:47 | 01-10-2019 - 20:15 | |
CVE-2018-3258 | 6.5 |
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple p
|
03-10-2019 - 00:03 | 17-10-2018 - 01:31 | |
CVE-2017-10689 | 2.1 |
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.
|
03-10-2019 - 00:03 | 09-02-2018 - 20:29 | |
CVE-2016-10745 | 5.0 |
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
|
06-06-2019 - 16:29 | 08-04-2019 - 13:29 | |
CVE-2018-16861 | 3.5 |
A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possib
|
14-05-2019 - 17:29 | 07-12-2018 - 19:29 | |
CVE-2018-14664 | 3.5 |
A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability exists due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs b
|
14-05-2019 - 17:29 | 12-10-2018 - 22:15 | |
CVE-2016-6346 | 5.0 |
RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
|
14-05-2019 - 17:29 | 07-09-2016 - 18:59 | |
CVE-2018-16887 | 3.5 |
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Rep
|
14-05-2019 - 17:29 | 13-01-2019 - 02:29 | |
CVE-2018-6188 | 5.0 |
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated b
|
12-03-2019 - 17:54 | 05-02-2018 - 03:29 | |
CVE-2018-7537 | 5.0 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due t
|
28-02-2019 - 22:37 | 09-03-2018 - 20:29 | |
CVE-2017-7233 | 5.8 |
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some nu
|
17-10-2018 - 10:29 | 04-04-2017 - 17:59 | |
CVE-2015-6644 | 4.3 |
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
|
17-10-2018 - 10:29 | 06-01-2016 - 19:59 | |
CVE-2015-0203 | 4.0 |
The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, o
|
18-03-2018 - 14:05 | 21-02-2018 - 15:29 | |
CVE-2016-10516 | 4.3 |
Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML v
|
04-02-2018 - 02:29 | 23-10-2017 - 16:29 | |
CVE-2017-17718 | 4.3 |
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.
|
05-01-2018 - 18:12 | 17-12-2017 - 21:29 | |
CVE-2015-0223 | 5.0 |
Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling.
|
05-01-2018 - 02:29 | 02-02-2015 - 16:59 | |
CVE-2015-1609 | 5.0 |
MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.
|
01-07-2017 - 01:29 | 30-03-2015 - 14:59 |