banking_digital_experience

CVE-2021-41165

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.2||HIGH

EPSS-0.09% / 26.28%

||

7 Day CHG~0.00%

Published-17 Nov, 2021 | 19:15

Updated-04 Aug, 2024 | 02:59

HTML comments vulnerability allowing to execute JavaScript code

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Vendor-ckeditor ckeditor The Drupal Association Oracle Corporation

Product-application_express banking_apis peoplesoft_enterprise_peopletools banking_digital_experience drupal ckeditor commerce_guided_search webcenter_portal agile_product_lifecycle_management ckeditor4

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2021-41164

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.2||HIGH

EPSS-0.05% / 15.45%

||

7 Day CHG~0.00%

Published-17 Nov, 2021 | 00:00

Updated-04 Aug, 2024 | 02:59

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Vendor-ckeditor ckeditor Fedora Project Oracle Corporation The Drupal Association

Product-application_express banking_apis peoplesoft_enterprise_peopletools banking_digital_experience fedora drupal ckeditor agile_plm commerce_guided_search webcenter_portal ckeditor4

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2021-37137

Assigner-JFrog

View Details

Assigner-JFrog

CVSS Score-7.5||HIGH

EPSS-0.60% / 68.42%

||

7 Day CHG~0.00%

Published-19 Oct, 2021 | 00:00

Updated-04 Aug, 2024 | 01:16

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Vendor-quarkus The Netty Project NetApp, Inc.Debian GNU/Linux Oracle Corporation

Product-communications_diameter_signaling_router banking_apis peoplesoft_enterprise_peopletools debian_linux banking_digital_experience quarkus netty communications_cloud_native_core_binding_support_function commerce_guided_search communications_brm_-_elastic_charging_engine webcenter_portal oncommand_insight Netty

CWE ID-CWE-400

Uncontrolled Resource Consumption

CVE-2021-37136

Assigner-JFrog

View Details

Assigner-JFrog

CVSS Score-7.5||HIGH

EPSS-0.23% / 45.65%

||

7 Day CHG~0.00%

Published-19 Oct, 2021 | 00:00

Updated-04 Aug, 2024 | 01:16

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CWE ID-CWE-400

Uncontrolled Resource Consumption

CVE-2021-2351

Assigner-Oracle

View Details

Assigner-Oracle

CVSS Score-8.3||HIGH

EPSS-3.54% / 87.22%

||

7 Day CHG~0.00%

Published-20 Jul, 2021 | 22:43

Updated-03 Aug, 2024 | 16:38

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Vendor-Oracle Corporation

Product-hospitality_reporting_and_analytics peoplesoft_enterprise_peopletools primavera_unifier clinical retail_back_office argus_safety health_sciences_clinical_development_analytics communications_network_integrity communications_session_route_manager primavera_p6_professional_project_management communications_network_charging_and_control retail_assortment_planning storagetek_acsls retail_service_backbone primavera_analytics argus_mart oss_support_tools communications_application_session_controller financial_services_trade-based_anti_money_laundering retail_order_broker communications_design_studio airlines_data_model retail_price_management health_sciences_inform_crf_submit documaker spatial_studio zfs_storage_application_integration_engineering_software communications_contacts_server utilities_testing_accelerator retail_customer_insights rapid_planning banking_digital_experience healthcare_translational_research retail_order_management_system communications_ip_service_activator retail_financial_integration demantra_demand_management retail_returns_management flexcube_private_banking hospitality_suite8 enterprise_data_quality financial_services_enterprise_case_management graph_server_and_client communications_diameter_intelligence_hub hospitality_inventory_management weblogic_server communications_data_model big_data_spatial_and_graph instantis_enterprisetrack hospitality_opera_5 goldengate_application_adapters enterprise_manager_base_platform data_integrator flexcube_investor_servicing healthcare_data_repository communications_metasolv_solution retail_store_inventory_management retail_central_office ilearning primavera_gateway financial_services_foreign_account_tax_compliance_act_management financial_services_behavior_detection_platform policy_automation banking_platform communications_session_report_manager thesaurus_management_system retail_merchandising_system primavera_data_warehouse agile_plm communications_convergent_charging_controller retail_point-of-service commerce_platform banking_apis banking_enterprise_default_management blockchain_platform healthcare_foundation financial_services_analytical_applications_infrastructure argus_analytics timesten_in-memory_database enterprise_manager_ops_center application_testing_suite communications_services_gatekeeper fusion_middleware argus_insight insurance_insbridge_rating_and_underwriting retail_predictive_application_server agile_product_lifecycle_management_for_process insurance_rules_palette communications_billing_and_revenue_management siebel_ui_framework retail_integration_bus agile_engineering_data_management storagetek_tape_analytics utilities_framework advanced_networking_option goldengate primavera_p6_enterprise_project_portfolio_management retail_analytics communications_pricing_design_center health_sciences_information_manager application_performance_management communications_calendar_server retail_xstore_point_of_service insurance_policy_administration financial_services_model_management_and_governance product_lifecycle_analytics retail_extract_transform_and_load hyperion_infrastructure_technology insurance_data_gateway real_user_experience_insight jd_edwards_enterpriseone_tools WebLogic Server

CWE ID-CWE-384

Session Fixation

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CVE-2021-36090

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-7.5||HIGH

EPSS-0.28% / 50.89%

||

7 Day CHG~0.00%

Published-13 Jul, 2021 | 07:15

Updated-04 Aug, 2024 | 00:47

Apache Commons Compress 1.0 to 1.20 denial of service vulnerability

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Vendor-NetApp, Inc.The Apache Software Foundation Oracle Corporation

Product-healthcare_data_repository peoplesoft_enterprise_peopletools primavera_unifier primavera_gateway communications_session_route_manager banking_platform communications_session_report_manager banking_party_management banking_apis banking_enterprise_default_management banking_payments communications_cloud_native_core_unified_data_repository financial_services_analytical_applications_infrastructure flexcube_universal_banking communications_unified_inventory_management business_process_management_suite oncommand_insight communications_cloud_native_core_automated_test_suite communications_cloud_native_core_service_communication_proxy banking_digital_experience communications_billing_and_revenue_management utilities_testing_accelerator communications_messaging_server financial_services_crime_and_compliance_management_studio active_iq_unified_manager financial_services_enterprise_case_management banking_trade_finance communications_diameter_intelligence_hub commons_compress insurance_policy_administration communications_element_manager commerce_guided_search banking_treasury_management webcenter_portal Apache Commons Compress

CWE ID-CWE-130

Improper Handling of Length Parameter Inconsistency

CVE-2021-35517

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-7.5||HIGH

EPSS-0.31% / 53.91%

||

7 Day CHG-0.00%

Published-13 Jul, 2021 | 07:15

Updated-04 Aug, 2024 | 00:40

Apache Commons Compress 1.1 to 1.20 denial of service vulnerability

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Vendor-NetApp, Inc.The Apache Software Foundation Oracle Corporation

Product-healthcare_data_repository peoplesoft_enterprise_peopletools primavera_unifier communications_cloud_native_core_service_communication_proxy banking_digital_experience communications_billing_and_revenue_management utilities_testing_accelerator oncommand_insight communications_messaging_server financial_services_crime_and_compliance_management_studio communications_session_route_manager active_iq_unified_manager financial_services_enterprise_case_management banking_party_management banking_trade_finance communications_diameter_intelligence_hub banking_apis banking_enterprise_default_management banking_payments communications_cloud_native_core_unified_data_repository flexcube_universal_banking commons_compress insurance_policy_administration commerce_guided_search banking_treasury_management webcenter_portal business_process_management_suite Apache Commons Compress

CWE ID-CWE-130

Improper Handling of Length Parameter Inconsistency

CWE ID-CWE-770

Allocation of Resources Without Limits or Throttling

CVE-2021-35516

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-7.5||HIGH

EPSS-0.31% / 53.65%

||

7 Day CHG~0.00%

Published-13 Jul, 2021 | 07:15

Updated-04 Aug, 2024 | 00:40

Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Vendor-NetApp, Inc.The Apache Software Foundation Oracle Corporation

CWE ID-CWE-130

Improper Handling of Length Parameter Inconsistency

CWE ID-CWE-770

Allocation of Resources Without Limits or Throttling

CVE-2021-35515

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-7.5||HIGH

EPSS-0.12% / 31.57%

||

7 Day CHG-0.00%

Published-13 Jul, 2021 | 07:15

Updated-04 Aug, 2024 | 00:40

Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Vendor-NetApp, Inc.The Apache Software Foundation Oracle Corporation

Product-healthcare_data_repository peoplesoft_enterprise_peopletools primavera_unifier communications_cloud_native_core_automated_test_suite communications_cloud_native_core_service_communication_proxy banking_digital_experience communications_billing_and_revenue_management oncommand_insight utilities_testing_accelerator communications_messaging_server financial_services_crime_and_compliance_management_studio communications_session_route_manager active_iq_unified_manager financial_services_enterprise_case_management banking_party_management banking_trade_finance communications_diameter_intelligence_hub banking_enterprise_default_management banking_payments communications_cloud_native_core_unified_data_repository flexcube_universal_banking commons_compress insurance_policy_administration commerce_guided_search banking_treasury_management business_process_management_suite Apache Commons Compress

CWE ID-CWE-834

Excessive Iteration

CWE ID-CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

CVE-2021-29425

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-4.8||MEDIUM

EPSS-0.26% / 48.87%

||

7 Day CHG-0.01%

Published-13 Apr, 2021 | 06:50

Updated-03 Aug, 2024 | 22:02

Possible limited path traversal vulnerabily in Apache Commons IO

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Vendor-The Apache Software Foundation NetApp, Inc.Debian GNU/Linux Oracle Corporation

Product-healthcare_data_repository primavera_unifier communications_billing_and_revenue_management_elastic_charging_engine banking_enterprise_default_managment retail_service_backbone communications_order_and_service_management retail_assortment_planning banking_platform health_sciences_data_management_workbench communications_policy_management agile_plm oss_support_tools retail_merchandising_system communications_cloud_native_core_policy banking_party_management commons_io banking_apis communications_application_session_controller banking_enterprise_default_management blockchain_platform communications_cloud_native_core_unified_data_repository financial_services_analytical_applications_infrastructure retail_order_broker communications_design_studio communications_service_broker fusion_middleware_mapviewer communications_interactive_session_recorder access_manager retail_size_profile_optimization application_testing_suite communications_convergence enterprise_communications_broker communications_converged_application_server_-_service_controller communications_contacts_server insurance_rules_palette retail_pricing banking_digital_experience rest_data_services communications_offline_mediation_controller utilities_testing_accelerator solaris_cluster communications_cloud_native_core_network_repository_function active_iq_unified_manager helidon retail_integration_bus agile_engineering_data_management enterprise_session_border_controller communications_diameter_intelligence_hub debian_linux weblogic_server communications_pricing_design_center health_sciences_information_manager application_performance_management flexcube_core_banking retail_xstore_point_of_service insurance_policy_administration financial_services_model_management_and_governance real_user_experience_insight commerce_guided_search webcenter_portal Apache Commons IO

CWE ID-CWE-20

Improper Input Validation

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2021-28164

Assigner-Eclipse Foundation

View Details

Assigner-Eclipse Foundation

CVSS Score-5.3||MEDIUM

EPSS-93.48% / 99.82%

||

7 Day CHG~0.00%

Published-01 Apr, 2021 | 14:20

Updated-03 Aug, 2024 | 21:40

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CWE ID-CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CWE ID-CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2021-28163

Assigner-Eclipse Foundation

View Details

Assigner-Eclipse Foundation

CVSS Score-2.7||LOW

EPSS-0.15% / 36.43%

||

7 Day CHG~0.00%

Published-01 Apr, 2021 | 14:20

Updated-03 Aug, 2024 | 21:40

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CWE ID-CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE ID-CWE-59

Improper Link Resolution Before File Access ('Link Following')

CVE-2020-11987

Assigner-Apache Software Foundation

View Details

Assigner-Apache Software Foundation

CVSS Score-8.2||HIGH

EPSS-0.58% / 67.88%

||

7 Day CHG~0.00%

Published-24 Feb, 2021 | 00:00

Updated-04 Aug, 2024 | 11:48

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CWE ID-CWE-20

Improper Input Validation

banking_digital_experience

Source -

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -