Filtered by vendor Oracle
Subscriptions
Filtered by product Retail Xstore Point Of Service
Subscriptions
Total
125 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-5421 | 4 Netapp, Oracle, Redhat and 1 more | 39 Oncommand Insight, Snap Creator Framework, Snapcenter and 36 more | 2024-09-17 | 6.5 Medium |
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. | ||||
CVE-2018-1258 | 5 Netapp, Oracle, Pivotal Software and 2 more | 43 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 40 more | 2024-09-17 | 8.8 High |
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | ||||
CVE-2018-11763 | 5 Apache, Canonical, Netapp and 2 more | 11 Http Server, Ubuntu Linux, Storage Automation Store and 8 more | 2024-09-17 | N/A |
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. | ||||
CVE-2018-11040 | 3 Debian, Oracle, Vmware | 28 Debian Linux, Agile Product Lifecycle Management, Application Testing Suite and 25 more | 2024-09-17 | 7.5 High |
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. | ||||
CVE-2019-3740 | 2 Dell, Oracle | 18 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 15 more | 2024-09-17 | 6.5 Medium |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys. | ||||
CVE-2018-17189 | 7 Apache, Canonical, Debian and 4 more | 14 Http Server, Ubuntu Linux, Debian Linux and 11 more | 2024-09-17 | 5.3 Medium |
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | ||||
CVE-2019-0190 | 3 Apache, Openssl, Oracle | 6 Http Server, Openssl, Enterprise Manager Ops Center and 3 more | 2024-09-16 | 7.5 High |
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. | ||||
CVE-2017-12617 | 6 Apache, Canonical, Debian and 3 more | 60 Tomcat, Ubuntu Linux, Debian Linux and 57 more | 2024-09-16 | 8.1 High |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | ||||
CVE-2018-1271 | 3 Oracle, Redhat, Vmware | 30 Application Testing Suite, Big Data Discovery, Communications Converged Application Server and 27 more | 2024-09-16 | 5.9 Medium |
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. | ||||
CVE-2018-11039 | 3 Debian, Oracle, Vmware | 33 Debian Linux, Agile Plm, Application Testing Suite and 30 more | 2024-09-16 | 5.9 Medium |
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. | ||||
CVE-2017-15707 | 3 Apache, Netapp, Oracle | 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more | 2024-09-16 | N/A |
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | ||||
CVE-2018-1270 | 4 Debian, Oracle, Redhat and 1 more | 29 Debian Linux, Application Testing Suite, Big Data Discovery and 26 more | 2024-09-16 | 9.8 Critical |
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. | ||||
CVE-2019-3738 | 3 Dell, Mcafee, Oracle | 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more | 2024-09-16 | 6.5 Medium |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key. | ||||
CVE-2019-3739 | 2 Dell, Oracle | 16 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 13 more | 2024-09-16 | 6.5 Medium |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys. | ||||
CVE-2018-15756 | 4 Debian, Oracle, Redhat and 1 more | 42 Debian Linux, Agile Plm, Communications Brm - Elastic Charging Engine and 39 more | 2024-09-16 | 7.5 High |
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. | ||||
CVE-2018-11797 | 4 Apache, Fedoraproject, Oracle and 1 more | 4 Pdfbox, Fedora, Retail Xstore Point Of Service and 1 more | 2024-09-16 | 5.5 Medium |
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree. | ||||
CVE-2018-8032 | 3 Apache, Debian, Oracle | 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more | 2024-09-16 | 6.1 Medium |
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. | ||||
CVE-2018-1199 | 3 Oracle, Redhat, Vmware | 6 Rapid Planning, Retail Xstore Point Of Service, Fuse and 3 more | 2024-09-16 | 5.3 Medium |
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed. | ||||
CVE-2016-3429 | 1 Oracle | 1 Retail Xstore Point Of Service | 2024-08-05 | N/A |
Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services. | ||||
CVE-2017-10427 | 1 Oracle | 1 Retail Xstore Point Of Service | 2024-08-05 | N/A |
Vulnerability in the Oracle Retail Xstore Point of Service component of Oracle Retail Applications (subcomponent: Point of Sale). Supported versions that are affected are 6.0.11, 6.5.11, 7.0.6, 7.1.6 and 15.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. While the vulnerability is in Oracle Retail Xstore Point of Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Xstore Point of Service accessible data as well as unauthorized read access to a subset of Oracle Retail Xstore Point of Service accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Xstore Point of Service. CVSS 3.0 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L). |