dawetmaster

165 exploits Active since Aug 2013
CVE-2013-2172 NOMISEC WORKING POC
Apache Santuario XML Security for Java <1.4.8/1.5.5 XML Signature Spoofing
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
CVE-2013-2186 NOMISEC WRITEUP
Redhat Jboss Enterprise Brms Platform - Improper Input Validation
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
CVE-2013-4517 NOMISEC WORKING POC
Apache Santuario XML Security for Java <1.5.6 - DoS
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
CVE-2013-5679 NOMISEC WORKING POC
OWASP Enterprise Security API for Java 2.x < 2.1.0 - Authenticated-Encryption Bypass via Null MAC
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
CVE-2013-5960 NOMISEC WORKING POC
OWASP Enterprise Security API 2.0-2.1.0 - Authenticated Encryption Bypass via Ciphertext Tampering
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
CVE-2013-6465 NOMISEC MEDIUM WRITEUP
JBPM KIE Workbench 6.0.x - Authenticated Cross-Site Scripting via Task Name HTML Input
Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbench 6.0.x allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs.
CVSS 5.4
CVE-2014-0050 NOMISEC WRITEUP
Apache Commons FileUpload <1.3.1 - DoS
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
CVE-2014-3488 NOMISEC STUB
Netty < 3.9.2 - Denial of Service via SSLv2Hello Message
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CVE-2014-3651 NOMISEC HIGH WRITEUP
Keycloak < 1.0.3 - Denial of Service via Large QR Code Size Parameter
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.
CVSS 7.5
CVE-2014-7816 NOMISEC STUB
WildFly Directory Traversal
Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.
CVE-2015-2156 NOMISEC HIGH STUB
Netty Cookie HttpOnly Flag Bypass via Improper Input Validation
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CVSS 7.5
CVE-2015-2912 NOMISEC HIGH STUB
OrientDB Server Community Edition <2.0.15 & <2.1.x - CSRF
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
CVSS 8.8
CVE-2015-2913 NOMISEC MEDIUM STUB
OrientDB Server Community Edition <2.0.15 and 2.1.x <2.1.1 - Information Disclosure
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.
CVSS 5.9
CVE-2015-3271 NOMISEC MEDIUM STUB
Apache Tika Server < 1.10 - Exposure of Sensitive Information via HTTP fileUrl Header
Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.
CVSS 5.3
CVE-2015-5253 NOMISEC STUB
Apache CXF <2.7.18, <3.0.7, <3.1.3 - Auth Bypass
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
CVE-2015-6254 NOMISEC STUB
PicketLink <2.7.0 - Info Disclosure
The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types.
CVE-2015-6748 NOMISEC MEDIUM STUB
jsoup < 1.8.3 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
CVSS 6.1
CVE-2016-1000031 NOMISEC CRITICAL WORKING POC
Apache Commons FileUpload <1.3.3 - RCE
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS 9.8
CVE-2016-3092 NOMISEC HIGH WORKING POC
Apache Tomcat 7.x < 7.0.70, 8.x < 8.0.36, 8.5.x < 8.5.3, 9.x < 9.0.0.M7 - Denial of Service via Long Boundary String
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
CVSS 7.5
CVE-2016-4464 NOMISEC CRITICAL WORKING POC
Apache CXF Fediz 1.2.0-1.2.2 and 1.3.0 - Improper Access Control via SAML AudienceRestriction Bypass
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
CVSS 9.8
CVE-2016-4974 NOMISEC HIGH WRITEUP
Apache Qpid AMQP JMS Client < 6.0.4 & JMS (AMQP 1.0) < 0.10.0 - RCE via JMS ObjectMessage Deserialization
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
CVSS 7.5
CVE-2016-6801 NOMISEC HIGH WORKING POC
Apache Jackrabbit < 2.4.6 - CSRF
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
CVSS 8.8
CVE-2016-6802 NOMISEC HIGH STUB
Apache Shiro < 1.3.2 - Filter Bypass via Non-Root Servlet Context Path
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
CVSS 7.5
CVE-2016-6809 NOMISEC CRITICAL STUB
Apache Tika < 1.14 - Remote Code Execution via MATLAB File Deserialization
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
CVSS 9.8
CVE-2011-4367 NOMISEC STUB
Apache MyFaces Core <2.0.12, <2.1.6 - Path Traversal
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.