epicosy

11 exploits Active since Sep 2013
CVE-2020-13973 NOMISEC MEDIUM WRITEUP
Owasp Json-sanitizer < 1.2.1 - XSS
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
CVSS 6.1
CVE-2020-26217 NOMISEC HIGH STUB
Xstream < 1.4.14 - OS Command Injection
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVSS 8.0
CVE-2019-15477 NOMISEC MEDIUM STUB
Jooby < 1.6.4 - XSS
Jooby before 1.6.4 has XSS via the default error handler.
CVSS 6.1
CVE-2019-13990 NOMISEC CRITICAL STUB
Terracotta Quartz Scheduler <2.3.0 - SSRF
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVSS 9.8
CVE-2019-17513 NOMISEC HIGH STUB
Ratpack < 1.7.5 - Injection
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVSS 7.5
CVE-2018-25075 NOMISEC MEDIUM WRITEUP
karsany OBridge <1.3 - SQL Injection
A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376.
CVSS 4.6
CVE-2018-1000844 NOMISEC CRITICAL STUB
Squareup Retrofit < 2.5.0 - XXE
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
CVSS 9.1
CVE-2016-5394 NOMISEC MEDIUM STUB
Apache Sling < 1.0.12 - XSS
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
CVSS 6.1
CVE-2016-10006 NOMISEC MEDIUM WRITEUP
OWASP AntiSamy <1.5.5 - XSS
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CVSS 6.1
CVE-2015-6748 NOMISEC MEDIUM WRITEUP
Jsoup < 1.8.3 - XSS
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
CVSS 6.1
CVE-2013-4378 NOMISEC WORKING POC
Emeric Vernat Javamelody < 1.46 - XSS
Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.