Filtered by vendor Oracle Subscriptions
Filtered by product Financial Services Analytical Applications Infrastructure Subscriptions
Total 77 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-11358 11 Backdropcms, Debian, Drupal and 8 more 114 Backdrop, Debian Linux, Drupal and 111 more 2024-11-21 6.1 Medium
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-10219 3 Netapp, Oracle, Redhat 199 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 196 more 2024-11-21 6.1 Medium
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVE-2019-0227 2 Apache, Oracle 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management Framework and 34 more 2024-11-21 7.5 High
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVE-2018-8032 3 Apache, Debian, Oracle 38 Axis, Debian Linux, Agile Engineering Data Management and 35 more 2024-11-21 6.1 Medium
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
CVE-2018-8013 4 Apache, Canonical, Debian and 1 more 21 Batik, Ubuntu Linux, Debian Linux and 18 more 2024-11-21 N/A
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CVE-2018-2661 1 Oracle 1 Financial Services Analytical Applications Infrastructure 2024-11-21 N/A
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 7.3.5.x and 8.0.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2018-2660 1 Oracle 1 Financial Services Analytical Applications Infrastructure 2024-11-21 N/A
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 7.3.5.x and 8.0.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. While the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.0 Base Score 7.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).
CVE-2018-15756 4 Debian, Oracle, Redhat and 1 more 42 Debian Linux, Agile Plm, Communications Brm - Elastic Charging Engine and 39 more 2024-11-21 7.5 High
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVE-2018-14721 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-11-21 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-11-21 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14719 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 28 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14718 5 Debian, Fasterxml, Netapp and 2 more 36 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 33 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2017-7525 5 Debian, Fasterxml, Netapp and 2 more 30 Debian Linux, Jackson-databind, Oncommand Balance and 27 more 2024-11-21 9.8 Critical
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 86 Log4j, Oncommand Api Services, Oncommand Insight and 83 more 2024-11-21 9.8 Critical
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2017-15095 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more 2024-11-21 9.8 Critical
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVE-2017-12617 6 Apache, Canonical, Debian and 3 more 60 Tomcat, Ubuntu Linux, Debian Linux and 57 more 2024-11-21 8.1 High
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2015-9251 3 Jquery, Oracle, Redhat 51 Jquery, Agile Product Lifecycle Management For Process, Banking Platform and 48 more 2024-11-21 N/A
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.